Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Summary

A researcher discovered that Bright Data's SDK, embedded in free consumer apps, can transform smart TVs and other devices into proxy exit nodes for web-scraping. This traffic is used to fuel AI data businesses, with the company leveraging a vast residential proxy network. The SDK's consent mechanisms are questionable, allowing significant data usage beyond user expectations and bypassing VPNs on iOS.

Full text

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI Swati KhandelwalJun 06, 2026Network Security / IoT Security A researcher has reverse-engineered the iOS SDK that Bright Data embeds in consumer apps and documented how it turns devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic for a data business Bright Data markets heavily to the AI industry. The company, the successor to Luminati, operates what it calls the largest residential proxy network in the world, advertised at more than 400 million residential IPs. Part of that supply comes from this SDK, shipped inside free apps behind an opt-in screen and described as a consent-sourced pool of 150 million-plus IPs. The findings, published June 5 by Include Security and independent researcher Buchodi, matter because the scraping comes from the user's home IP, not the customer's. The immediate risk is not a hacked account or stolen data; it is that a home connection and its bandwidth get used as someone else's scraping infrastructure. A connected TV is close to ideal for that: usually plugged in, on a fast connection, effectively unmetered, and unwatched. The deepest technical evidence is from the iOS SDK; the smart-TV reach rests on Bright Data's platform support, its public partner list, and earlier reporting. The research found the peer channel that carries scraping jobs has no real authentication, and on iOS, its traffic bypasses a configured VPN. Inside the peer tunnel When the app opens, the SDK contacts one of Bright Data's servers, which hands over its instructions without really checking who is asking. From then on, the server can tell the device to go and fetch pages from other websites, using the user's home internet connection to do it. The researcher found the channel that carries those jobs has none of the usual security checks, and described it as weaker than the controls built into most malware. On iPhones, the researcher found that this traffic slips past a VPN, and that much of what the app does does not show up in the tools security teams normally use to monitor apps. The device can also keep relaying in the background while someone is watching the screen or on a call, as long as the battery is not low. The consent gap The opt-in screen does not match what the SDK actually allows. In one Roku app, Petflix, the screen said it would use the device and its connection "occasionally." The settings the SDK loads allow up to 200 GB of traffic a month. In a few countries, including Uzbekistan and Oman, the limits are set far higher, and the device is cleared to keep working almost until the battery runs flat. The SDK can also tie together a person's phone and computers that run the same company's apps, treating them as one user. Bright Data publishes its list of app partners on a page anyone can open, and it includes makers of smart-TV apps such as PlayWorks Digital, CloudTV, and Longvision. The researcher is careful to note that being on the list only shows a company worked with Bright Data at some point, not that its app includes the SDK today. Each one would need to be checked on its own. An old model, pulled by AI demand None of this is new in shape, only in scale. Bright Data is the successor to Luminati, the paid proxy service that grew out of Hola VPN. In 2015 Hola was caught selling its free users' bandwidth as exit nodes through Luminati, at $20 a gigabyte. The same model now runs on the always-on box in the living room. What changed is the buyer. Anti-bot defenses from Cloudflare, DataDome, and others block scrapers coming from datacenter IPs, so AI scrapers route through residential connections instead. Krebs reported in October 2025 that proxies from botnets like Aisuru are fueling large-scale AI data harvesting, and Google dismantled the criminal IPIDEA proxy network in January. Those operations hijack consumer devices; Bright Data says its exit nodes opt in through a consent screen. That consent is the line between the two, and whether it is meaningful is the open question. Lowpass, syndicated by The Verge, first surfaced the smart-TV angle in February, and this is the technical teardown. Google, Amazon, and Roku have since restricted background proxy SDKs, and Bright Data dropped those platforms, though it still lists Samsung's Tizen and LG's webOS. What to do The traffic is easy to spot and block. On a home network, the simplest step is to block the web addresses the SDK uses to connect, with a router-level tool like Pi-hole or NextDNS. The main ones are proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com. According to the research, blocking these stops the device from acting as a relay without affecting Bright Data's paid service, which runs on separate addresses. Companies that manage staff phones can also scan for apps that carry the SDK. One catch: on a mobile connection, the traffic sidesteps office Wi-Fi, so a network block alone will not always catch it. Bright Data could also change how the SDK connects in the future, which would mean any blocklist needs updating. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI, Bandwidth, Bright Data, cybersecurity, iOS, network security, Residential Proxy, Smart TV, VPN, Web Scraping ⚡ Top Stories This Week Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Malicious npm Package Stole Files From Claude AI User Directory via GitHub GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions ⭐ Featured Resources Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)

Entities