Researchers at Include Security reported that free apps across Samsung, LG, and Roku smart TV ecosystems, as well as some mobile apps, embedded a Bright Data SDK that allegedly converts consumer devices into residential proxy exit nodes for web-scraping traffic, including AI data collection. The researchers said the SDK fetches an unauthenticated configuration, opens a persistent WebSocket peer tunnel, and relays third-party HTTP requests through users’ home internet connections, with consent disclosures allegedly buried in hard-to-find interface dialogs. Publicly exposed configuration data indicated a default Wi‑Fi relay cap of 200 GB per device per month, and partner associations reportedly included PlayWorks Digital, CloudTV, Viber Media, Moonfrog Labs, and Hola Networks.
The report said smart TVs are especially attractive proxy nodes because they are typically always on, connected to Wi‑Fi, and rarely monitored, while technical design choices reduced visibility by binding traffic directly to physical interfaces and using lower-level iOS networking primitives that can bypass VPN routing and evade common instrumentation. Independent reporting said the main risk is misuse of consumers’ residential IP addresses and bandwidth rather than direct account takeover, and noted that major platforms including Google, Amazon, and Roku have restricted background proxy SDK behavior. Include Security said it reverse-engineered the iOS framework, monitored runtime traffic for 30 days, and notified Bright Data on May 11, 2026, but had not received a response before publication.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
On 2026-06-05, Include Security published research alleging that Bright Data's SDK embedded in partner apps can turn mobile devices and smart TVs into residential proxy exit nodes for web-scraping traffic, including AI data collection. The report described technical behaviors including unauthenticated configuration retrieval, persistent peer tunnels, VPN bypass on iOS, and exposed partner associations.
Include Security said it notified Bright Data on 2026-05-11 about its findings on the company's SDK allegedly turning consumer devices into residential proxy exit nodes. The researchers said they had not received a response by the time of publication.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcexakep.ru
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourceblog.includesecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.