According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.
On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.
Pushwoosh's founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. "I am proud to be Russian and I would never hide this."
He said the company "has no connection with the Russian government of any kind" and stores its data in the United States and Germany.
Cybersecurity experts said storing data overseas would not prevent Russian intelligence agencies from compelling a Russian firm to cede access to that data, however.
On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.
In U.S. regulatory filings and on social media, Pushwoosh never mentions its Russian links. The company lists "Washington, D.C." as its location on Twitter and claims its office address as a house in the suburb of Kensington, Maryland, according to its latest U.S. corporation filings submitted to Delaware's secretary of state. It also lists the Maryland address on its Facebook and LinkedIn profiles.
The Kensington house is the home of a Russian friend of Konev's who spoke to a Reuters journalist on condition of anonymity. He said he had nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.
Konev said Pushwoosh had begun using the Maryland address to "receive business correspondence" during the coronavirus pandemic.
He said he now operates Pushwoosh from Thailand but provided no evidence that it is registered there. Reuters could not find a company by that name in the Thai company registry.
Pushwoosh provices code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.
Pushwoosh code has been embedded into almost 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh's website says it has more than 2.3 billion devices listed in its database.
"Pushwoosh collects user data including precise geolocation, on sensitive and governmental apps, which could allow for invasive tracking at scale," said Jerome Dangu, co-founder of Confiant, a firm that tracks misuse of data collected in online advertising supply chains.
"We haven't found any clear sign of deceptive or malicious intent in Pushwoosh's activity, which certainly doesn't diminish the risk of having app data leaking to Russia," he added.
Pushwoosh used LinkedIn accounts purportedly belonging to two Washington, D.C.-based executives named Mary Brown and Noah O'Shea to solicit sales. But neither Brown nor O'Shea are real people, Reuters found.
Pushwoosh code was installed in the apps of a wide array of international companies, influential non-profits and government agencies from global consumer goods company Unilever Plc. and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britain's Labor Party.
The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country's main combat training bases.
U.S. Army spokesperson Bryce Dubee said the Army had suffered no "operational loss of data," adding that the app did not connect to the Army network.
The Centers for Disease Control and Prevention (CDC), the United States' main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.
After Reuters raised Pushwoosh's Russian links with the CDC, the health agency removed the code from its apps because "the company presents a potential security concern," spokesperson Kristen Nordlund said.
"CDC believed Pushwoosh was a company based in the Washington, D.C. area," Nordlund said in a statement. The belief was based on "representations" made by the company, she said, without elaborating.
The CDC apps that contained Pushwoosh code included the agency's main app and others set up to share information on a wide range of health concerns. One was for doctors treating sexually transmitted diseases. While the CDC also used the company's notifications for health matters such as COVID, the agency said it "did not share user data with Pushwoosh."
