Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies
Cybersecurity NewsArchived Jun 07, 2026✓ Full text saved
Free apps available on Samsung, LG, Roku, and other major smart TV platforms have been quietly enrolling millions of living room devices into a commercial residential proxy network used to scrape web data for AI training all through a consent dialog buried in a TV remote’s arrow-key navigation, according to new research from Include Security. […] The post Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies
By Guru Baran
June 6, 2026
Free apps available on Samsung, LG, Roku, and other major smart TV platforms have been quietly enrolling millions of living room devices into a commercial residential proxy network used to scrape web data for AI training all through a consent dialog buried in a TV remote’s arrow-key navigation, according to new research from Include Security.
The culprit is an SDK developed by Bright Data, a Tel Aviv-based data-collection company that markets what it calls the world’s largest residential proxy network, claiming 150M+ IP addresses sourced via embedded software in partner apps.
When installed, the SDK silently transforms a user’s connected TV (CTV) or mobile device into an exit node, routing paying customers’ web-scraping traffic through the user’s home internet connection.
Researcher Buchodi, working alongside Include Security, explains why connected TVs are a prime target compared to smartphones: they are always plugged in, always on Wi-Fi, sit in standby 24/7, face virtually zero corporate or MDM oversight, and are rarely attended by users.
Free Apps Turning Smart TVs into Proxies
The SDK’s configuration confirms this exploitation, with idle threshold flags set to ignore_screen_on: true and ignore_on_call: true meaning a device is considered eligible to relay third-party traffic even while a user is actively watching or on a call.
The monthly bandwidth default for Wi-Fi relaying is capped at 200 GB per device, according to config values retrieved from Bright Data’s own unauthenticated public endpoint at clientsdk.bright-sdk.com.
The same unauthenticated config endpoint exposes a partner manifest, which researchers identified as including:
PlayWorks Digital — 400+ CTV game titles distributed across Samsung, LG, Comcast, Roku, and Sky, reaching an estimated 250 million TV households
CloudTV — integrated across 125+ TV brands and 15+ OEMs
Viber Media (Rakuten) — 250M–820M monthly active users
Moonfrog Labs — ~10M MAU on Teen Patti Gold alone
Hola Networks — Bright Data’s lineage parent company
The SDK opens a persistent WebSocket to proxyjs.brdtnet.com:443, resolving to AWS Global Accelerator IPs and presenting a TLS certificate for *.luminatinet.com Bright Data’s pre-2018 corporate name was Luminati Networks.
This legacy hostname serves as a direct detection pivot for defenders: any luminatinet.com or brdtnet.com traffic on a network is specifically the SDK’s peer-tunnel plane, not legitimate Bright Data customer traffic.
Critically, the SDK uses Apple’s NWParameters.requiredInterface API to bind the data plane directly to the physical Wi-Fi or cellular interface, bypassing any user-configured VPN entirely.
The control plane uses CFHTTPMessage primitives instead of URLSession, defeating standard iOS instrumentation tools. The combination ensures the SDK’s most sensitive channel remains invisible to typical security monitoring layers.
Buchodi recommends blocking the following DNS hostnames at your router:
proxyjs.brdtnet.com
proxyjs.luminatinet.com
clientsdk.bright-sdk.com
For TLS-based filtering, drop any handshake with SNI matching *.brdtnet.com, *.luminatinet.com, or *.luminati.io. Enterprise MDM administrators should scan for Swift binary symbols BrdWebSocketFacade and BrdNetwork.DNSResolver to identify affected apps on managed devices.
Include Security notified Bright Data on May 11, 2026, via privacy@brightdata.com. No response was received prior to publication.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware
binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts
Dashlane Password Manager User Accounts Locked Following Brute-Force Attacks
Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild
Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign
Latest News
Cyber Security News
Top 5 Best Tools for Simulated DDoS Attacks in 2026
Cyber Security News
Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks
Cyber Security
OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects
Cyber Security News
Anthropic’s Claude Services Down — claude.ai, Claude Code, and Cowork Affected [Updated]
Cyber Security News
Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser