Updated on 2022-12-13: More Pushwoosh findings
Pushwoosh, the Russian software company whose code was recently removed from many US government apps earlier this year, claimed after a Reuters exposé that it stopped using code from its Russian developers after Russia’s invasion of Ukraine. However, Margin Research, a DARPA contractor, said that after analyzing the company’s GitHub history, they found this claim to be false, as many code contributions were made in the Russian GMT+7 timezone. Read more:
- EXCLUSIVE Russian software disguised as American finds its way into U.S. Army, CDC apps
- Analyzing Russian SDK Pushwoosh and Russian Code Contributions
Updated on 2022-11-29: Pushwoosh linked to malware operation
Investigative infosec reporter Brian Krebs and security researcher Zach Edwards have found links between mobile software company Pushwoosh and the Pincer malware operation from the early 2010s. Pushwoosh rose to infamy this month after a Reuters report found that the company’s code was recently removed from several US government mobile applications after US officials discovered that the company pretended to be based in the US but was actually based in Russia. Krebs says that one of Pushwoosh’s employees is a man he identified in 2013 as the author of Pincer, an Android trojan that was capable of intercepting and forwarding text messages from Android mobile devices. Read more:
- U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer
- EXCLUSIVE Russian software disguised as American finds its way into U.S. Army, CDC apps
- Who Wrote the Pincer Android Trojan?
Updated on 2022-11-21: Russian software disguised as American finds its way into U.S. government apps
A U.S. Army mobile app used by soldiers and a mobile app used by the CDC contained code from a software company with links to Russia, which collects users data, like geolocations, and could allow tracking at scale. Pushwoosh, which doesn’t say much to quell the claims, appears to be a U.S. company but is in fact Russian, Reuters found, sparking security concerns. The government removed the code from their apps, but it once again highlights how data siphoned from apps on your phone can be easily handed to potentially bad actors. Read more: EXCLUSIVE Russian software disguised as American finds its way into U.S. Army, CDC apps
Last year, while conducting audits on SDKs installed in mobile apps for @SafeTechLabs, a popular SDK installed in thousands of apps called “Pushwoosh” started to raise some odd questions, was it secretly Russian? Reuters has an explosive story out today: https://t.co/vqytktKKlW🧵
— Zach Edwards (@thezedwards) November 14, 2022
NEW from @marisaataylor and I: Russian software disguised as American finds its way into a wide array of international companies, influential nonprofits and government agencies, including @USArmy, @CDCgov, @Unilever, @UEFA, @NRA and @UKLabour apps. https://t.co/4wie9Id21D
— James Pearson (@pearswick) November 14, 2022
“The @USArmy and @CDCgov both said they had been deceived by Pushwoosh into believing that the company was American. The company used fake @LinkedIn profiles to solicit sales in the U.S. and first registered the business to a non-existent address in California.” https://t.co/QiiOQS7MfF
— Kim Zetter (@KimZetter) November 14, 2022
Updated on 2022-11-15: Russian company posing as American
A Reuters report has uncovered that the Pentagon was using applications that contained code from a software firm named Pushwoosh that claimed to be US-based but was actually a Russian company. The company’s code was also found in thousands of mobile apps across Apple and Google’s online app stores. Read more: EXCLUSIVE Russian software disguised as American finds its way into U.S. Army, CDC apps
Overview: Russian Code Found its way into Army, CDC APPs
The CDC and the Army leveraged code from Pushwoosh for their own apps as they believed Pushwoosh was a U.S. company. Pushwoosh’s social media profile states they are indeed a U.S. company, but Reuters discovered they are actually a Russian company headquartered in Siberia. Upon discover of the origin of the Pushwoosh code, the Army removed the app, and the CDC removed the software from their public facing applications due to security concerns.
Note
- Supply chain security requires understanding not only the security of code used, but also its origins. Note that Pushwoosh represents itself as being a U.S. company in regulatory findings, claiming, at times, it is based in California, Maryland, and Washington D.C. When considering the risk, incorporate not only the origin but their TTPs to evaluate how they may impact you.
Read more in