This article originally appeared on VICE US.
Banjo, an artificial intelligence firm that works with police used a shadow company to create an array of Android and iOS apps that looked innocuous but were specifically designed to secretly scrape social media, Motherboard has learned.
The news signifies an abuse of data by a government contractor, with Banjo going far beyond what companies which scrape social networks usually do. Banjo created a secret company named Pink Unicorn Labs, according to three former Banjo employees, with two of them adding that the company developed the apps. This was done to avoid detection by social networks, two of the former employees said.
Three of the apps created by Pink Unicorn Labs were called "One Direction Fan App," "EDM Fan App," and "Formula Racing App." Motherboard found these three apps on archive sites and downloaded and analyzed them, as did an independent expert. The apps—which appear to have been originally compiled in 2015 and were on the Play Store until 2016 according to Google—outwardly had no connection to Banjo, but an analysis of its code indicates connections to the company. This aspect of Banjo's operation has some similarities with the Cambridge Analytica scandal, with multiple sources comparing the two incidents.
"Banjo was doing exactly the same thing but more nefariously, arguably," a former Banjo employee said, referring to how seemingly unrelated apps were helping to feed the activities of the company's main business. Motherboard granted four former employees and another source close to the company anonymity because they had signed non-disclosure agreements with Banjo.
Do you work at Banjo or know anything else about the company’s work? Do you know about any other apps that abused data access? We’d love to hear from you. Using a non-work phone or computer, you can contact Jason Koebler securely on Signal on +1 202 505 1702 , or Joseph Cox on Signal on +44 20 8133 5190 , Wickr on josephcox, OTR chat on firstname.lastname@example.org , or email email@example.com_**.**
Last year Banjo signed a $20.7 million contract with Utah that granted the company access to the state's traffic, CCTV, and public safety cameras. Banjo promises to combine that input with a range of other data such as satellites and social media posts to create a system that it claims alerts law enforcement of crimes or events in real-time.
"We essentially do most of what Palantir does, we just do it live," Banjo's top lobbyist Bryan Smith previously told police chiefs and 911 dispatch officials when pitching the company's services.
The company has not publicly explained how it specifically scrapes social media apps.
Motherboard found the apps developed by Pink Unicorn Labs included code mentioning signing into Facebook, Twitter, Instagram, Russian social media app VK, FourSquare, Google Plus, and Chinese social network Sina Weibo.
There are several ways these apps could have scraped social media—perhaps by sending the saved login token to a server for Banjo to use later, or by using the app itself to scrape information—but it is not totally clear which method Banjo used because the API that the apps connected to is no longer live. Motherboard found that the apps when opened made web requests to the domain "pulapi.com," likely referring to Pink Unicorn Labs, but the site that would provide a response to the app is currently down.
One of the former employees said they saw one of the apps when it was still working and it had a high number of logins.
"It was all major social media platforms," they added. The particular versions of the apps Motherboard obtained, when opened, asked a user to sign-in with Instagram.
Business records for Pink Unicorn Labs show the company was originally incorporated by Banjo CEO Damien Patton. Banjo employees worked directly on Pink Unicorn Labs projects from Banjo's offices, several of the former employees said, though they added that Patton made it clear in recent years that Banjo needed to wind down Pink Unicorn Labs' work and not be linked to the firm.
"There was something about Pink Unicorn that was important for Damien to distance himself from," another former employee told Motherboard.
"I always knew this moment would come. While I worked there, it felt like I was spying on the world."
Before pivoting to artificial intelligence for governments, Banjo was a social media-focused company, offering an app that would show what was happening around a user based on posts from Twitter, Instagram, FourSquare, and other social networks. It then moved onto providing services to media companies, letting them know if something significant and perhaps newsworthy was breaking on social networks. Some similar companies, like Dataminr, have permission from social media sites to use large amounts of data; Twitter, which owns a stake in Dataminr, gives the firm exclusive access to its so-called "fire hose" of public posts.
Banjo did not have that sort of data access. So it created Pink Unicorn Labs, which one former employee described as a "shadow company," that developed apps to harvest social media data.
"They were shitty little apps that took advantage of some of the data that we had but the catch was that they had a ton of OAuth providers," one of the former employees said. OAuth providers are methods for signing into apps or websites via another service, such as Facebook's "Facebook Connect," Twitter's "Sign In With Twitter," or Google's "Google Sign-In." These providers mean a user doesn't have to create a new account for each site or app they want to use, and can instead log in via their already established social media identity.
But once users logged into the innocent looking apps via a social network OAuth provider, Banjo saved the login credentials, according to two former employees and an expert analysis of the apps performed by Kasra Rahjerdi, who has been an Android developer since the original Android project was launched. Banjo then scraped social media content, those two former employees added. The app also contained nonstandard code written by Pink Unicorn Labs: "The biggest red flag for me is that all the code related to grabbing Facebook friends, photos, location history, etc. is directly from their own codebase," Rahjerdi said.
The Android versions of the apps are no longer available on the Google Play Store, but each of the three apps had install bases ranging from a minimum of 5,000 users up to 100,000 users, according to records on one Android app archive site. Motherboard also identified an iOS version of the EDM Fan App. Users of each app could follow events such as concerts or races, judging by screenshots of the apps in action on the Android app archive site.
"Formula Racing App is your all-access pass to every race across the globe! View the photos and videos posted by fans at each race. Share the photos and videos with your friends," the description for Formula Racing App read.
"Banjo was secretly farming peoples' user tokens via these shadow apps," one of the former employees said. "That was the entire point and plan," they added when asked if the apps were specifically designed to steal users' login tokens.
"At their face value [of being sports or celebrity apps], those apps functionally were so far off from what our business model was that I can't see any way they were relics of a pre-pivot business model," a second former employee said.
"Banjo was doing exactly the same thing but more nefariously, arguably."
Rahjerdi told Motherboard, "They’re a shared codebase made to be super easy to setup new apps."
The apps request a wide range of permissions, such as access to location data, the ability to create accounts and set passwords, and find accounts on the device.
Multiple sources said Banjo tried to keep Pink Unicorn Labs a secret, but Motherboard found several links between the two. An analysis of the Android apps revealed all three had code that contained web links to Banjo's website; each app contained a set of identical data that appeared to be pulled from social network sites, including repeatedly the Twitter profile of Jennifer Peck, who works for Banjo and is also married to Banjo's Patton. In registration records for the two companies, both Banjo and Pink Unicorn Labs shared the same address in Redwood, California; and Patton is listed as the creator of Pink Unicorn Labs in that firm's own public records.
"Several projects I worked on were 'make sure you only ever use this VPN to run the code, we can't have this traced back to us','" one former employee recalled being told while working at Banjo. Another said the company carried out a lot of work through Tor, which is a network for using the internet anonymously and avoiding attribution back to identifying IP addresses.
Banjo did not respond to a request for comment for this article and did not respond to multiple requests for comment for our earlier investigation into the company. Motherboard asked Banjo a set of specific questions including whether data collected by the Pink Unicorn Labs apps provided any sort of input, such as training data, for Banjo's more recent artificial intelligence products that the state of Utah purchased.
One source who didn't work at the company but spent a lot of time at its offices and signed an NDA with Banjo said the mood was "apocalyptic" in the company's office when news of the Cambridge Analytica scandal broke in March 2018. The Guardian, The Observer, and The New York Times reported how Cambridge Analytica had used a Facebook-based app to harvest data on tens of millions of users.
"You can imagine the luls that were had when we saw Cambridge Analytica take so much heat," a second source said.
"I always knew this moment would come. While I worked there, it felt like I was spying on the world," one of the former employees said.
"You can imagine the luls that were had when we saw Cambridge Analytica take so much heat."
The Banjo case raises questions around other apps that may have abused similar access.
While a Twitter spokesperson said the company had no “active evidence” on the Pink Unicorn Labs example, they wrote in an email they were familiar with Banjo itself, and "We’ve seen examples of similar misuse of OAuth tokens in the past, and have enforced when we’ve seen them." Twitter also confirmed it enforced against this exact sort of violation by Banjo after finding it proactively in 2017, but did not elaborate on which specific Banjo app.
A Facebook spokesperson wrote in an email, "Our policies prohibit scraping people's data. We are investigating and will take appropriate action." Facebook said Banjo no longer has access to Facebook's APIs.
A Google spokesperson said the Pink Unicorn Labs apps were removed from the Play Store in 2016, but did not elaborate when asked if Pink Unicorn Labs itself removed them or if Google did.
Apple did not respond to a request for comment.
Update: This piece has been updated to include more comment from Twitter.
Subscribe to our cybersecurity podcast, CYBER.