Free apps available on Samsung, LG, Roku, and other major smart TV platforms have been quietly enrolling millions of living room devices into a commercial residential proxy network used to scrape web data for AI training all through a consent dialog buried in a TV remote’s arrow-key navigation, according to new research from Include Security.
The culprit is an SDK developed by Bright Data, a Tel Aviv-based data-collection company that markets what it calls the world’s largest residential proxy network, claiming 150M+ IP addresses sourced via embedded software in partner apps.
When installed, the SDK silently transforms a user’s connected TV (CTV) or mobile device into an exit node, routing paying customers’ web-scraping traffic through the user’s home internet connection.
Researcher Buchodi, working alongside Include Security, explains why connected TVs are a prime target compared to smartphones: they are always plugged in, always on Wi-Fi, sit in standby 24/7, face virtually zero corporate or MDM oversight, and are rarely attended by users.
Free Apps Turning Smart TVs into Proxies
The SDK’s configuration confirms this exploitation, with idle threshold flags set to ignore_screen_on: true and ignore_on_call: true meaning a device is considered eligible to relay third-party traffic even while a user is actively watching or on a call.
The monthly bandwidth default for Wi-Fi relaying is capped at 200 GB per device, according to config values retrieved from Bright Data’s own unauthenticated public endpoint at clientsdk.bright-sdk.com.
The same unauthenticated config endpoint exposes a partner manifest, which researchers identified as including:
- PlayWorks Digital — 400+ CTV game titles distributed across Samsung, LG, Comcast, Roku, and Sky, reaching an estimated 250 million TV households
- CloudTV — integrated across 125+ TV brands and 15+ OEMs
- Viber Media (Rakuten) — 250M–820M monthly active users
- Moonfrog Labs — ~10M MAU on Teen Patti Gold alone
- Hola Networks — Bright Data’s lineage parent company
The SDK opens a persistent WebSocket to proxyjs.brdtnet.com:443, resolving to AWS Global Accelerator IPs and presenting a TLS certificate for *.luminatinet.com Bright Data’s pre-2018 corporate name was Luminati Networks.
This legacy hostname serves as a direct detection pivot for defenders: any luminatinet.com or brdtnet.com traffic on a network is specifically the SDK’s peer-tunnel plane, not legitimate Bright Data customer traffic.
Critically, the SDK uses Apple’s NWParameters.requiredInterface API to bind the data plane directly to the physical Wi-Fi or cellular interface, bypassing any user-configured VPN entirely.
The control plane uses CFHTTPMessage primitives instead of URLSession, defeating standard iOS instrumentation tools. The combination ensures the SDK’s most sensitive channel remains invisible to typical security monitoring layers.
Buchodi recommends blocking the following DNS hostnames at your router:
proxyjs.brdtnet.comproxyjs.luminatinet.comclientsdk.bright-sdk.com
For TLS-based filtering, drop any handshake with SNI matching *.brdtnet.com, *.luminatinet.com, or *.luminati.io. Enterprise MDM administrators should scan for Swift binary symbols BrdWebSocketFacade and BrdNetwork.DNSResolver to identify affected apps on managed devices.
Include Security notified Bright Data on May 11, 2026, via privacy@brightdata.com. No response was received prior to publication.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
