Free Apps Turn Samsung & LG Smart TVs into Secret AI Prox

Free applications available across Samsung, LG, Roku, and other major smart TV platforms have quietly enrolled millions of living room devices into a commercial residential proxy network. This network is then leveraged to scrape web data for AI training. According to new research from Include Security, this enrollment process often relies on a consent dialog buried deep within a TV remote’s arrow-key navigation.

The culprit is an SDK developed by Bright Data, a Tel Aviv-based data-collection company that markets what it calls the world’s largest residential proxy network, claiming 150M+ IP addresses sourced via embedded software in partner apps.

When installed, the SDK silently transforms a user’s connected TV (CTV) or mobile device into an exit node, routing paying customers’ web-scraping traffic through the user’s home internet connection.

Researcher Buchodi, working alongside Include Security, explains why connected TVs are a prime target compared to smartphones: they are always plugged in, always on Wi-Fi, sit in standby 24/7, face virtually zero corporate or MDM oversight, and are rarely attended by users.

Free Apps Turning Smart TVs into Proxies

The SDK’s configuration confirms this exploitation, with idle threshold flags set to ignore_screen_on: true and ignore_on_call: true meaning a device is considered eligible to relay third-party traffic even while a user is actively watching or on a call.

The monthly bandwidth default for Wi-Fi relaying is capped at 200 GB per device, according to config values retrieved from Bright Data’s own unauthenticated public endpoint at clientsdk.bright-sdk.com.

The same unauthenticated config endpoint exposes a partner manifest, which researchers identified as including:

• PlayWorks Digital — 400+ CTV game titles distributed across Samsung, LG, Comcast, Roku, and Sky, reaching an estimated 250 million TV households
• CloudTV — integrated across 125+ TV brands and 15+ OEMs
• Viber Media (Rakuten) — 250M–820M monthly active users
• Moonfrog Labs — ~10M MAU on Teen Patti Gold alone
• Hola Networks — Bright Data’s lineage parent company

The SDK opens a persistent WebSocket to proxyjs.brdtnet.com:443, resolving to AWS Global Accelerator IPs and presenting a TLS certificate for *.luminatinet.com Bright Data’s pre-2018 corporate name was Luminati Networks.

This legacy hostname serves as a direct detection pivot for defenders: any luminatinet.com or brdtnet.com traffic on a network is specifically the SDK’s peer-tunnel plane, not legitimate Bright Data customer traffic.

Critically, the SDK uses Apple’s NWParameters.requiredInterface API to bind the data plane directly to the physical Wi-Fi or cellular interface, bypassing any user-configured VPN entirely.

The control plane uses CFHTTPMessage primitives instead of URLSession, defeating standard iOS instrumentation tools. The combination ensures the SDK’s most sensitive channel remains invisible to typical security monitoring layers.

Buchodi recommends blocking the following DNS hostnames at your router:

• proxyjs.brdtnet.com
• proxyjs.luminatinet.com
• clientsdk.bright-sdk.com

For TLS-based filtering, drop any handshake with SNI matching *.brdtnet.com, *.luminatinet.com, or *.luminati.io. Enterprise MDM administrators should scan for Swift binary symbols BrdWebSocketFacade and BrdNetwork.DNSResolver to identify affected apps on managed devices.

Include Security notified Bright Data on May 11, 2026, via [email protected]. No response was received prior to publication.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.