Thousands of smartphone applications in Apple and Google's online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian.
The Centers for Disease Control and Prevention (CDC), the United States' main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the US capital. After learning about its Russian roots, it removed Pushwoosh software from seven public-facing apps, citing security concerns.
The US Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country's main combat training bases.
According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4m) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.
On social media and in US regulatory filings, however, it presents itself as a US company, based at various times in California, Maryland and Washington, DC.
Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.
On its website, Pushwoosh says it does not collect sensitive information, and no evidence was found that Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.
Pushwoosh's founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. "I am proud to be Russian and I would never hide this."
He said the company "has no connection with the Russian government of any kind" and stores its data in the United States and Germany.
Cybersecurity experts said storing data overseas would not prevent Russian intelligence agencies from compelling a Russian firm to cede access to that data, however.
Russia, whose ties with the West have deteriorated since its takeover of the Crimean Peninsula in 2014 and its invasion of Ukraine this year, is a global leader in hacking and cyber-espionage, spying on foreign governments and industries to seek competitive advantage, according to Western officials.
Pushwoosh code was installed in the apps of a wide array of international companies, influential non-profits and government agencies from global consumer goods company Unilever Plc and the Union of European Football Associations (UEFA) to the politically powerful US gun lobby, the National Rifle Association (NRA), and Britain's Labour Party.
Pushwoosh's business with US government agencies and private companies could violate contracting and US Federal Trade Commission (FTC) laws or trigger sanctions, 10 legal experts told Reuters. The FBI, US Treasury and the FTC declined to comment.
Jessica Rich, former director of the FTC's Bureau of Consumer Protection, said "this type of case falls right within the authority of the FTC," which cracks down on unfair or deceptive practices affecting US consumers.
Washington could choose to impose sanctions on Pushwoosh and has broad authority to do so, sanctions experts said, including possibly through a 2021 executive order that gives the United States the ability to target Russia's technology sector over malicious cyber activity.
Pushwoosh code has been embedded into almost 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh's website says it has more than 2.3 billion devices listed in its database.
"Pushwoosh collects user data including precise geolocation, on sensitive and governmental apps, which could allow for invasive tracking at scale," said Jerome Dangu, co-founder of Confiant, a firm that tracks misuse of data collected in online advertising supply chains.
"We haven't found any clear sign of deceptive or malicious intent in Pushwoosh's activity, which certainly doesn't diminish the risk of having app data leaking to Russia," he added.
Google said privacy was a "huge focus" for the company but did not respond to requests for comment about Pushwoosh. Apple said it takes user trust and safety seriously but similarly declined to answer questions.
Keir Giles, a Russia expert at London think tank Chatham House, said despite international sanctions on Russia, a "substantial number" of Russian companies were still trading abroad and collecting people's personal data.
Given Russia's domestic security laws, "it shouldn't be a surprise that with or without direct links to Russian state espionage campaigns, firms that handle data will be keen to play down their Russian roots," he said.
After Reuters raised Pushwoosh's Russian links with the CDC, the health agency removed the code from its apps because "the company presents a potential security concern," spokesperson Kristen Nordlund said.
"CDC believed Pushwoosh was a company based in the Washington, DC area," Nordlund said in a statement. The belief was based on "representations" made by the company, she said, without elaborating.