US Government Russian Code Bundled Apps with Links to Mobile Malware Developer – Krebs on Security

A recent scoop from Reuters revealed that mobile applications for The American army and the Centers for Disaster Control and Prevention (CDC) included software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But this story omitted an important historical detail about Pushwoosh: in 2013, one of its developers admitted to being the author of the Trojan Clampmalware designed to surreptitiously intercept and transfer text messages from android mobile devices.

Pushwoosh says it’s a US-based company that provides code for software developers to profile smartphone app users based on their online activity, allowing them to send notifications about measure. But a recent Reuters investigation has raised questions about the company’s actual location and veracity.

The military told Reuters it removed an app containing Pushwoosh in March, citing “security concerns”. The Army app was used by soldiers at one of the country’s major combat training bases.

Reuters said the CDC also recently removed the Pushwoosh code from its app for security reasons, after reporters informed the agency that Pushwoosh was not based in the Washington DC area – as it had been portrayed. the company – but was instead operated from Novosibirsk, Russia.

Pushwoosh’s software has also been found in applications for “a wide range of international corporations, influential nonprofits and government agencies to a global consumer goods company.” Unilever and the Union of European Football Associations (UEFA) to the powerful US gun lobby, the National Rifle Association (NRA) and Great Britain Labour Party.”

The founder of the company Max Konev told Reuters that Pushwoosh “has no connection with the Russian government of any kind” and stores its data in the United States and Germany.

But Reuters found that while Pushwoosh’s social media and US regulatory filings list it as an American company based in various locations in California, Maryland and Washington, D.C., the company’s employees are located in Novosibirsk, Russia. .

Reuters also learned that the company’s address in California does not exist and that two LinkedIn accounts for Pushwoosh employees in Washington, DC were fake.

“Pushwoosh never mentioned he was based in Russia in eight annual filings in the US state of Delaware, where he is registered, an omission that could violate state law,” Reuters reported.

Pushwoosh admitted the LinkedIn profiles were fake, but said they were created by a marketing company to boost the company’s business – without misrepresenting its location.

Pushwoosh told Reuters he used addresses in the Washington, DC area to “receive business correspondence” during the coronavirus pandemic. A review of the Pushwoosh founder’s online presence via Constella Intelligence shows that his Pushwoosh email address was linked to a phone number in Washington, D.C. that was also connected to the email addresses and account profiles of more than a dozen other Pushwoosh employees.

THE TROJAN PINCH CONNECTION

Part of the dust on Pushwoosh came from data collected by Zach Edwardsa security researcher who until recently worked for Internet Safety Labs, a nonprofit that funds research into online threats.

Edwards said Pushwoosh started out as Arello-Mobile, and for several years the two co-branded — appearing side by side at various tech shows. Around 2016, he said, the two companies both started using the Pushwoosh name.

A search of Pushwoosh’s codebase shows that one of the company’s longtime developers is a 41-year-old man from Novosibirsk named Yuri Shmakov. In 2013, KrebsOnSecurity interviewed Shmakov for the story, “Who wrote the Android Pincer Trojan?” in which Shmakov admitted to writing the malware as an independent project.

Shmakov told me that, based on the customer’s specifications, he suspected that it could ultimately be used for nefarious purposes. Despite everything, he finished the job and signed his work by including his nickname in the code of the application.

“I worked on this app for a few months and hoped it would be really useful,” Shmakov wrote. “[The] The idea of ​​this app is that you can configure it as a spam filter…block certain calls and SMS remotely, from a web service. i was hoping it would be [some kind of] blacklist, with blocked logging [messages/calls]. But of course I understood that the client [did] don’t really want that.

Shmakov did not respond to requests for comment. His LinkedIn profile indicates that he quit working for Arello Mobile in 2016 and is currently employed full-time as an Android team leader at an online betting company.

In a blog post responding to Reuters history, Pushwoosh stated that it was a private company incorporated under the laws of the State of Delaware, USA, and that Pushwoosh Inc. was never owned by a registered company in the Federation from Russia.

“Pushwoosh Inc. used to outsource parts of product development to the Novosibirsk-based Russian company mentioned in the article,” the company said. “However, in February 2022, Pushwoosh Inc. terminated the contract.”

However, Edwards noted that dozens of developer subdomains on the main Pushwoosh domain still point to JSC Avantel, an internet provider based in Novosibirsk, Russia.

WAR GAMES

Edwards said the US Army app had a custom Pushwoosh setup that didn’t appear on any other client implementation.

“It had an extremely custom setup that didn’t exist anywhere else,” Edwards said. “Originally it was an in-app web browser, where it embeds Pushwoosh javascript so that whenever a user clicks on links, data is passed to Pushwoosh and it could return whatever it wanted through the in-app browser.”

A army time A report published the day after the Reuters story was published said that at least 1,000 people had downloaded the app, which “provided updates to troops at the National Training Center in Fort Irwin, California, a critical waypoint for deploying units to test their battlefield prowess before heading overseas.”

In April 2022, approximately 4,500 members of the military converged on the National Training Center for a war games exercise on how to use lessons learned from Russia’s war against Ukraine to prepare for the future fights against a major opponent like Russia or China.

Edwards said that despite Pushwoosh’s extensive dithering, the company’s software doesn’t appear to have done anything untoward for its customers or users.

“Nothing they did was considered malicious,” he said. “Besides completely lying about where they are, where their data is housed, and where they have infrastructure.”

GOVERNMENT 311

Edwards also found Pushwoosh’s technology embedded in nearly two dozen mobile apps that have been sold to cities and towns in Illinois as a way to help citizens access general information about their local communities and their officials.

The Illinois apps that bundled Pushwoosh’s technology were produced by a company called Government 311, which is owned by Bill McCarty, the current director of the Springfield Office of Budget and Management. A story from 2014 in The state journal register said Gov 311 pricing was based on population and the app would cost around $2,500 per year for a city of around 25,000 people.

McCarty told KrebsOnSecurity that his company stopped using Pushwoosh “years ago” and now relies on its own technology to deliver push notifications through its 311 apps.

But Edwards discovered that some of the 311 apps were still trying to phone Pushwoosh, like the 311 app for Riverton, Illinois.

“Riverton ceased to be a customer several years ago, which [is] probably why their app was never updated to replace Pushwoosh,” McCarty explained. “We are in the process of updating all client applications and refreshing the website. As part of this, old unused apps like Riverton 311 will be removed.

FOREIGN ADTECH THREAT?

Edwards said it’s far from clear how many other state and local government apps and websites rely on technology that sends user data to U.S. adversaries overseas. In July, Congress introduced an amended version of the Intelligence Authorization Act for 2023, which included a new section focused on data derived from online ad auctions that could be used to geolocate individuals or obtain other information to their subject.

Business Intern reports that if this section goes into the final version – which the Senate must also adopt – the Office of the Director of National Intelligence (ODNI) will have 60 days after the law takes effect to produce a risk assessment. The assessment will address “counterintelligence risks and the exposure of intelligence community personnel to tracking by foreign adversaries through data from ad technology,” the law says.

Edwards says he hopes these changes go through, because what he found with Pushwoosh is probably just a drop in a bucket.

“I hope Congress will act on this,” he said. “If they were to mandate an annual risk audit of foreign ad tech, that would at least force people to identify and document those connections.”