Russian Software Company Pretending to Be American

Computer code developed by a company called Pushwoosh is in about 8,000 Apple and Google smartphone apps. The company pretends to be American when it is actually Russian.

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in US regulatory filings, however, it presents itself as a US company, based at various times in California, Maryland, and Washington, DC, Reuters found.

What does the code do? Spy on people:

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.

I have called supply chain security “an insurmountably hard problem,” and this is just another example of that.

EDITED TO ADD (12/12): Here is a list of apps that use the Pushwoosh SDK.

Posted on November 16, 2022 at 6:03 AM30 Comments


Bob Paddock November 16, 2022 8:03 AM

Is there any connection to AppMetrica?:

“AppMetrica is part of Yandex — one of the largest internet companies in Europe based in Amsterdam, Netherlands and headquartered in Moscow, Russia. Yandex started out as a search engine in 1997. Over time, it has evolved into an ecosystem of various end-user products — like Yandex.Translate, Yandex.Browser and Yandex.Zen — and a network of technologies for businesses and developers based on the latest innovations in machine learning and data science.”

Yandex does have less tendencies to censor things that other places do.

Ken_A November 16, 2022 8:12 AM

This was brought up where I work as well. While it is probably prudent to block or stop doing business with this company today I wonder if companies vet every vendor they use like this? And do the same standards apply to China, Saudia Arabia, or any other country that we typically think is suppressive?

Clive Robinson November 16, 2022 9:10 AM

@ ALL,

From the article,

“Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.”

So have very many other countries including Switzerland forcing a company to hand over details to a French “Witch Hunt” of political nature.

Once upon a time they did not have to do this, they simply sat on the “upstream router” and slurped up all the data just as the US NSA and UK GCHQ SigInt agencies did.

However the drive a few years back to get rid of “http” and use only “https” put quite a gimp in many authoritarian plans.

Thus bad though they are such “compelling” is proof that we can collectively “push back” against authoritarians at least sufficiently for some light to fall on a few of their otherwise hidden activities.

Grima Squeakersen November 16, 2022 11:17 AM

The creation by a commercial enterprise of what to all intents are shell companies with a physical presence in various locations in order to gain business and legal advantage is hardly a novelty; it arouses my curiosity why our host would so emphasize it here. Is it solely because the company in question has a strong connection to Russia? Would identical behaviour from a company with roots in, say, Kyiv, have been called out in the same manner? Just curious…

Ted November 16, 2022 11:44 AM

@Grima Squeakersen

Is it solely because the company in question has a strong connection to Russia?

Think also about sanctions and FTC laws. There’s a bit more on this in the article.

Clive Robinson November 16, 2022 11:57 AM

@ Grima Squeakersen,

To answer your implied question, the hint might be @Bruce’s line of,

“What does the code do? Spy on people”

Which at the minimum is a legitimate security question. Not the first time it’s come up nor I suspect the last.

Now you could repeate,

“The creation by a commercial enterprise of what to all intents are shell companies with a physical presence in various locations in order to gain business and legal advantage is hardly a novelty”

No it’s not, Israeli “spyware” companies have done it, US funded “spyware” companies have done it, so have several other European Nations where “spyware” companies are based have done it.

Our host has mentioned a lot of them when others have published about them.

So your question of,

“it arouses my curiosity why our host would so emphasize it here.”

Is a little dramatized, as indicated @Bruce has previously mentioned such companies so “emphasize” seems an odd almost querulous statment.

Thus a look at the source article from Reuters shows it to have been fairly recent and takes a lot more drum beating stance.

The fact is to quote the Reuters article,

“Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.”

Now I do not know the number of applications with the code in but if Reuters say “Thousands” then they are probably speaking from knowledge. In which case it is a potentially serious security problem… That has just been identified and our host is passing it on.

Tatütata November 16, 2022 1:23 PM

There is a also corporate entity in Delaware called “Pushwoosh Inc” (file nr. 5533057).

I won’t shell out twenty bucks just to find out that I can’t find out anymore useful information, other than it is still somehow active, and that they are formally domiciled at some address in Wilmington shared with about a million other companies.

Why single out this corporation for shame? There are so many other red-white-and-blue, God-trusting, Murican-as-apple-pie entities that are registered in DE that are just as opaque and inscrutable. (And how often do I land on the web page of some US company where I can’t find out whether they have actual employees or an office, and can only be contacted over a mail form or an 800 number…)

Then there is the confusion deliberately maintained by large multinational corporations, with their multiplicity of instantiations, like “$BIGCORP {Inc., Trust,LLC,LLP,Ltd.,Pty.,Corp.,etc.}”, which are suddenly not equivalent when it comes to taxes or court proceedings…

In the mean time, my bank pesters me every other blue moon about filling some forms for the US IRS, merely because some of my savings may potentially touch this jurisdiction…

AlexT November 16, 2022 7:13 PM

A lot of companies are hiding currently that they have hired Russians.

One example – Arca Noae. They have hired a Russian developer and his work is critical for that company. However among the industry it’s very well known fact that this particular developer is an active supporter of the Russian invasion and war in Ukraine and this have already caused a numerous clashes. Some other developers have left because of him. But since his work on UEFI support is very important to the Arca Noae they decided not to tie this development branch to the company.

However now the cat is out of bag. Arca Noae upcoming product ArcaOS 5.1 has blood all over it. Customers should know that.

Clive Robinson November 16, 2022 7:59 PM

@ Tatütata, ALL,

“Why single out this corporation for shame?”

Well as I indicated above as @Bruce has pointed out,

“What does the code do? Spy on people”

Which alone is a valid point to pull them up on security and illicitly / unlawfully breaching users privacy, but it gets worse, as I further pointed out from the Reuters article,

“Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by [the] technology company”

So it’s also a “serious” Privacy threat to god alone knows how many mobile and smart device users that have downloaded the deliberately backdoored applications. That most users have been led to believe are,

Supposedly user safe applications tested by both Google and Apple to be “safe enough” to be put in their “walled Gardens” market spaces.

So both Google and Apple need,

“calling out yet again for their significant failings in the name of profit and control over users to the users detriment”.

Such is the scale of this, a case could be argued that infact both Google and Apple are complicit in this spying and theft of users details thus breaching the users privacy. Further is the fact you could ask what Apple and Google are getting in “kick-back” to carry it in their walled gardens, directly from the company or other companies that profit by it being used against users.

You could then ask the all important question,

How many of Apple and Googles customers who are having their privacy breached are covered by the EU GDPR with it’s 4% of turnover penalties?

So yes it’s actually quite a big story when you dig down a little. This is not just Tax avoidance, or civil liability evasion, but a deliberate attempt at criminal intent and conspiracy.

And as I pointed out above,

“Thus a look at the source article from Reuters shows it to have been fairly recent…”

That is just the past couple of days so it is “Security News” from a world recognized source.

But to be fair to @Bruce, he’s actually not made much in the way of allegations against the company, the “singeling out” ones all come from the Reuters article.

The only addition @Bruce has made is a generalized security concern,

‘I have called supply chain security “an insurmountably hard problem,” and this is just another example of that.’

We are seeing way more of of this which is worrying but it is just one all be it currently very newsworthy example.

Clive Robinson November 16, 2022 8:45 PM

@ ALL,

I’ve had to split this into parts to get things past “automoderation” and it’s oddities. So,

Part 1,

As I’ve noted in my post above, the only point @Bruce has made over and above the Reuters artical is a generalized security concern of,

‘I have called supply chain security “an insurmountably hard problem,” and this is just another example of that.’

As we’re seeing these problems increasingly it is something we should give some serious consideration to over and above the immediate news worthy reporting of the significance of this particular example.

So the question of it being an “insurmountably hard problem” is actually a debatable one, depending on how you view it.

Thus there is a technical point of view and a market point of view and if you take the former the problem is most definitely not insurmountable.

To see why you first have to realise in this case it turns on the “Walled Garden” market spaces of Apple and Google and what they actually do rather than what their owners claim or imply they do.

Both Apple and Google have made and still make claims about their “Walled Gardens” that effectively say they do not think it is an “insurmountably hard problem”…

So if this is an “insurmountably hard problem” then the question of them “Knowingly making false statments for pecuniary gain” arise against both Apple and Google. Worse because there is an almost continuous stream of these “walled garden” failings it would be hard if not impossible for both Apple and Google to argue that their claims are now “not false”.

Clive Robinson November 16, 2022 9:03 PM

@ ALL,

Part 2,

The Technical point of view.

I personally do not think from the technical point of view that this “supply chain” issue is actually an “insurmountably hard problem”.

It is a matter of recorded fact that the US Government “Rainbow Books” from back last century outline a series of procedures to effectively prevent it. Yes you could argue that they are not 100% but then no security ever is due to the “unknown unknowns” issues. But the technical issue is not the real issue where as the movment of money is.

The cost of the most secure A1 procedures in the rainbow books was stagering, which is why so very few systems were ever produced and why next to none were ever purchased.

Security costs along the entire goods / service production chain, and in the case of A1 the costs of storage, and delivery were not technical in the slightest, they were for “physical security” to stop the sorts of tampering the NSA got caught for.

Clive Robinson November 16, 2022 9:13 PM

@ ALL,

Part 3,

Economic point of view.

Consider “Cost v. Value”, basic economics talks of “Supply and Demand”, noting that if you increase the price of an item then demand will fall. Whilst not strictly true due to “perceived value” as opppsed to “utility value” in consumers minds, it is true that at any given point in time there is a slightly different “Cost v. Utility” point in any given market.

Normally due to inflation for any physical good or service for a given level of utility the cost rises with time. This puts a time based imperative on a purchaser, if the physical object / service cost rise is less than the interest etc the purchaser gets on their money then they are financially better simply waiting, otherwise they should purchase as soon as they have sufficient funds available (with available being an awkward issue in it’s own right).

But what should a purchaser do if the actual “Cost v. Utility” for a good or service maintains a steady decline? As it does for information based objects and services. Well basic simple and overly generalised economic arguments of “supply and demand” are replaced with other arguments based on “production” or “work”.

Not just of the producer (developer) but importantly the consumer (user) who ultimately controls the source of funding.

Clive Robinson November 16, 2022 9:20 PM

@ ALL,

Part 4a,

The costs of work and production.

To carry out any process of work or production you need,

1, Knowledge.
2, Skills (equipment use ability).
3, Tooling (equipment).
4, Space (work area / warehousing).
5, Time.
6, Energy input.
7, Feed Stock (raw materials).
8, Utility added processing.
9, Transportation (in and out).

In traditional “physical object / service” production the first two are a small percentage of the production and to market costs. The second two are very significant usually considerably more than the total cost of a “production run”. The third two are necessary for all production of all goods irrespective of type. The last three also represent a high percentage of a physical object or service production process.

Clive Robinson November 16, 2022 9:22 PM

@ ALL,

Part 4b,

For electronic and information system goods and services the percentage distribution of the costs is stageringly different. With the first two often being the most significant costs.

For information objects and services the second two are often quite negligable or even free these days (home working). And the last three not actually existing for information objects and services as they can fall directly under the second two and can be as little as a PC in a closet in a basement etc next to the communications end point (importantly think about “software patches” as the process mechanism behind both can be identical).

For information objects and services the loss of these last three have a significant effect on the economic processes of these markets, with the bulk of the production cost falling onto “Design Costs” with negligable or near zero cost of production (file copy) and transportation (by Internet).

Clive Robinson November 16, 2022 9:32 PM

@ ALL,

Part 4b,

For electronic or information system goods/services the distribution of the costs by percentage is very different. With the first two often being the most significant costs.

Clive Robinson November 16, 2022 9:40 PM

@ ALL,

Part 4c,

With information objects/services, the second two are often quite negligable or even zero cost these days (think home working).

Clive Robinson November 16, 2022 9:45 PM

@ ALL,

Part 4d,

With the last three list items not actually existing for information objects/services as they will usuall fall directly under the second two list items.

Clive Robinson November 16, 2022 9:59 PM

@ ALL,

Part 4e,

This can be as low cost as a personal computer placed in a wiring space next to the comms ingress.

Clive Robinson November 16, 2022 10:04 PM

@ ALL,

Part 4f,

Importantly though is to compare the process to the distribution of “software patches” as the process method behind both can be made identical.

For information objects the loss of the last three items on the list has a significant effect on the economic processes of the markets. With the bulk of the production cost falling onto “Design Costs” with negligable or near zero cost of production (file copy) and transportation (by Internet).

Clive Robinson November 16, 2022 10:15 PM

@ ALL,

Part 5,

Producer Faux Markets.

I could as I have in the past on this blog go through these market changes in quite some detail and how the ICT industry has responded to them.

However the most important consideration is that for what is by simple definition a deflationary market, users purchase on actual or perceived “need” at a given “time” for their work / processes, rather than supply and demand pricing.

So for producers or suppliers, changing the “cost v. utility” to effect demand is actually fairly pointless. Which is why the producers of information goods have quite deliberately created “faux market incentives” of various forms, and it is from these the “insurmountably hard problem” issues actually arise.

Clive Robinson November 16, 2022 10:27 PM

@ ALL,

Part 6

Conclusion / sum up,

It is this “new market economics” and producer “faux market incentives” that need to be considered for the “Supply Chain” and if it’s security actually is an “insurmountably hard problem”.

It’s not hard to see that in the “Walled Garden” case it is actually a compleatly unnecessary step in the supply chain of an information object/service. In fact like financial products it is a “faux market”, deliberately designed to do nothing other than extract financial benifit by a “third party” forceably inserting themselves between the producer (developer) and the consumer (user). The side effect of which is rather than improve supply chain security it has an enormous detrimental effect, not just on security, but as a consequence the security and privacy of the consumer (user).

So what of a solution to these “faux markets” and the poor security they create?

The simple answer is to get rid of them, or “adjust the market” asspects of them that cause the “Supply Chain” to be an “insurmountably hard problem”.

Of course this will for the third parties,

“Break their rice bowls.”

Which means that the level of their “push back” will be extream, and I agree that this would probably be an “insurmountably hard problem” to deal with under the so called “Free Market” mantras.

In some respects corporations are more venal than most individuals, so Upton Sinclair’s observation on people in politics from nearly a century ago applys by the boat load on Silicon Valley Corps, so to re-word the quote,

It is difficult to get a Corps officers to understand something when their salary depends upon the investors not wishing to understanding it for profit reasons.

Thus there are realy only two solutions open to the consumers (users) under current conditions,

1, Do not use the producer so they wise up or go out of business.
2, Government legislates or regulates out the “faux market”.

Which happens, when, and to what measure, are very open questions.

Denton Scratch November 17, 2022 6:07 AM

Part 6

@Clive: You don’t think the automoderation that you’re trying to work around is intended to prevent exactly this kind of wall-of-text spamming?

Clive Robinson November 17, 2022 6:37 PM

@ Denton Scratch, SpaceLifeForm,

“You don’t think the automoderation that you’re trying to work around…”

Work around “NO”, blackbox test, whilst still being on topic “YES”.

The result of the test is it tends to suggest what I’ve suspected with other testing that @SpaceLifeForm, others and myself have tried to do without upseting others.

That is the spam filter appears to have a “leaky integrator” from an IP address over time, which makes hypothesis testing appear random.

That is this particular filter component cares not a jot what the content at the input is just the volumetric flow. At some number of chars input in a given time it applies what appears to be a soft choke that throttles your ability to enter content, thus other tests.

The problem in diagnosing is that it does not pass to the output which is what you see as an observer, so makes making hypothesis and test by trial and error difficult as it adds a time variable component.

The problem with this is it effects other testing, that an ordinary user might try (like @MarkH has in the past).

For example,

Let’s say you think that some word you are using is tripping the “naughty word” filter, but you have no idea what word it is. You’re only solution is to change words in your input to try to find out if it gets through or not.

Such word changing can be done very quickly in time especially if you use an editor with search and replace, or you use a form of binary chop to try to locate the word[1] using “cut-n-paste”.

But, unknown to you, you quickly hit the volumetric filter. Thus changing any words from that point on to find what you think is an accidental naughty word does not work… Even using an efficient “binary chop” search will hit the volume limit rapidly.

@ SpaceLifeForm,

Do you want to add,

“integration on input volume probably as a front end filter.”

To the list you are keeping as it does effect the ability to do other black box testing. In that you have to space resubmissions a lot further appart in time than you would otherwise do.

[1] You have to use a modified binary chop otherwise your part posts will be out of order. So you “try posting” must use only “first halves” not the slightly more efficient “random halves”.

lurker November 17, 2022 7:33 PM

@Clive Robinson

So what of a solution to these “faux markets” and the poor security they create?

Hands up who remembers “Shareware”? There was some good software “marketed” under the shareware system. There were devs who managed to thrive on the 2 ~ 5% who actually paid for it. I bought a site licence once which was priced on the sqrt of the number of seats.

But shareware was software by nerds for nerds. Security was part of the dev/vendor’s personal reputation. The modern “faux markets” are created by the OS and device makers who have created complexity in their systems and APIs that invite security bugs and at the same time keep 3rd party dev/vendors under the thumb of the market owners. Yes, “side loading” is still permitted with Android, but unless the author releases his code, or some similar validity check, the user is no better off than inside the walled garden.

SpaceLifeForm November 17, 2022 8:23 PM

@ Denton Scratch, Clive

Re: leaky integrator

Probably not here. Probably Upstream.

Thinktime metric.

The longer the comment, the longer you should wait before Submit. Maybe every 140 characters, wait 2 minutes for example. You must give Upstream time to collect your keystrokes.

Won’t someone think of tbe poor Upstream servers?

MarkH November 17, 2022 9:07 PM

@Clive, all:

I don’t understand how the automod works, I just know it can be very laborious to deal with.

For more than a year, I haven’t gotten even one comment through with much more than a dozen sentences. I’ve seen a few (including Clive) successfully post quite long comments from time to time.

My “interdiction rate” has been 100%.

My working hypothesis is that when the bot sees “MarkH” it applies the rule, “he’s a drone, keep him brief.”

Nostrum November 29, 2022 4:36 AM

US federal agencies as well as those from the EU they still buy RUSSIAN digital forensic software like Oxygen Forensic Detective “Мобильный Криминалист”), Elcomsoft and Belkasoft. There are no sanctions

Carrington December 15, 2022 9:30 AM

What can be done about such racism?

NOTE: I am not complaining about any specific problem in Bruce’s article, nor am I blaming Bruce for quite a common description of espionage organisations; however, some of my friends refuse to use programs because they are affiliated with expatriates of the Russian Federation, solely on the basis of distrust against the language and its speakers! If nothing else, this is simply offensive inefficiency, because it means that intelligence agencies end up hiring more and more polyglots to engage in software advocacy, instead of useful work.

Must seven generations of luddism pass before Russians can program computers again in the paranoid parts of the Anglosphere?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.