Pushwoosh, a software company whose code is embedded in thousands of widely-used apps sold by the Apple and Google Play app stores, has sold itself as a United States-based tech enterprise. However, reporting by Reuters has revealed that the company is actually Russian, potentially compromising organizations of all sizes and scopes — including the Centers for Disease Control and Prevention (CDC). In response, the organization, which is the United States’ primary resource for fighting health threats, removed Pushwoosh software from several public-facing apps.
The CDC is not the first U.S. government-related body to remove Pushwoosh software over security concerns; in March 2022, the U.S. Army removed a compromised app used by soldiers at a major training base.
Pushwoosh, revealed to be based out of the Siberian town of Novosibirsk, utilized fake street addresses and employees on LinkedIn to maintain the deception, suggesting at various times it was based in California, Maryland, and Washington, D.C. The company provides code and data processing support for developers worldwide, but it claims it doesn’t collect sensitive information. Many organizations are avoiding any connection to Russian technology companies over cybersecurity concerns, especially as the country continues to engage in its unprovoked invasion of Ukraine.