Banjo, an artificial intelligence firm that works with police used a shadow company to create an array of Android and iOS apps that looked innocuous but were specifically designed to secretly scrape social media, Motherboard has learned.
The news signifies an abuse of data by a government contractor, with Banjo going far beyond what companies which scrape social networks usually do. Banjo created a secret company named Pink Unicorn Labs, according to three former Banjo employees, with two of them adding that the company developed the apps. This was done to avoid detection by social networks, two of the former employees said.
Three of the apps created by Pink Unicorn Labs were called “One Direction Fan App,” “EDM Fan App,” and “Formula Racing App.” Motherboard found these three apps on archive sites and downloaded and analyzed them, as did an independent expert. The apps—which appear to have been originally compiled in 2015 and were on the Play Store until 2016 according to Google—outwardly had no connection to Banjo, but an analysis of its code indicates connections to the company. This aspect of Banjo’s operation has some similarities with the Cambridge Analytica scandal, with multiple sources comparing the two incidents.
“Banjo was doing exactly the same thing but more nefariously, arguably,” a former Banjo employee said, referring to how seemingly unrelated apps were helping to feed the activities of the company’s main business.
Last year Banjo signed a $20.7 million contract with Utah that granted the company access to the state’s traffic, CCTV, and public safety cameras. Banjo promises to combine that input with a range of other data such as satellites and social media posts to create a system that it claims alerts law enforcement of crimes or events in real-time.
“We essentially do most of what Palantir does, we just do it live,” Banjo’s top lobbyist Bryan Smith previously told police chiefs and 911 dispatch officials when pitching the company’s services.
Motherboard found the apps developed by Pink Unicorn Labs included code mentioning signing into Facebook, Twitter, Instagram, Russian social media app VK, FourSquare, Google Plus, and Chinese social network Sina Weibo.
One of the former employees said they saw one of the apps when it was still working and it had a high number of logins.
“It was all major social media platforms,” they added. The particular versions of the apps Motherboard obtained, when opened, asked a user to sign-in with Instagram.
Business records for Pink Unicorn Labs show the company was originally incorporated by Banjo CEO Damien Patton. Banjo employees worked directly on Pink Unicorn Labs projects from Banjo’s offices, several of the former employees said, though they added that Patton made it clear in recent years that Banjo needed to wind down Pink Unicorn Labs’ work and not be linked to the firm.
“There was something about Pink Unicorn that was important for Damien to distance himself from,” another former employee told Motherboard.
ome similar companies, like Dataminr, have permission from social media sites to use large amounts of data; Twitter, which owns a stake in Dataminr, gives the firm exclusive access to its so-called “fire hose” of public posts.
Banjo did not have that sort of data access. So it created Pink Unicorn Labs, which one former employee described as a “shadow company,” that developed apps to harvest social media data.
“They were shitty little apps that took advantage of some of the data that we had but the catch was that they had a ton of OAuth providers,” one of the former employees said. OAuth providers are methods for signing into apps or websites via another service, such as Facebook’s “Facebook Connect,” Twitter’s “Sign In With Twitter,” or Google’s “Google Sign-In.” These providers mean a user doesn’t have to create a new account for each site or app they want to use, and can instead log in via their already established social media identity.
But once users logged into the innocent looking apps via a social network OAuth provider, Banjo saved the login credentials, according to two former employees and an expert analysis of the apps performed by Kasra Rahjerdi, who has been an Android developer since the original Android project was launched. Banjo then scraped social media content, those two former employees added. The app also contained nonstandard code written by Pink Unicorn Labs: “The biggest red flag for me is that all the code related to grabbing Facebook friends, photos, location history, etc. is directly from their own codebase,” Rahjerdi said.
“Banjo was secretly farming peoples’ user tokens via these shadow apps,” one of the former employees said. “That was the entire point and plan,” they added when asked if the apps were specifically designed to steal users’ login tokens.
The apps request a wide range of permissions, such as access to location data, the ability to create accounts and set passwords, and find accounts on the device.
Multiple sources said Banjo tried to keep Pink Unicorn Labs a secret, but Motherboard found several links between the two. An analysis of the Android apps revealed all three had code that contained web links to Banjo’s website; each app contained a set of identical data that appeared to be pulled from social network sites, including repeatedly the Twitter profile of Jennifer Peck, who works for Banjo and is also married to Banjo’s Patton. In registration records for the two companies, both Banjo and Pink Unicorn Labs shared the same address in Redwood, California; and Patton is listed as the creator of Pink Unicorn Labs in that firm’s own public records.