Residential Proxy SDKs Found in Thousands of LG and Samsung Smart TV Apps

Spur Intelligence has uncovered a widespread privacy risk embedded in smart TV ecosystems: thousands of apps on LG webOS and Samsung Tizen platforms contain residential proxy software development kits (SDKs) that silently route third-party internet traffic through users' home networks. The research, published June 23, 2026, scanned 6,038 apps across both platforms and found that 2,058—or 34.1 percent—carried such code. On LG webOS, the rate was 42.5 percent; on Samsung Tizen, it was 26.9 percent.

Residential proxy SDKs allow a third party to send web requests that appear to originate from a home internet connection. When embedded in a TV app, the SDK uses the device's network link to carry that traffic while the visible app—often a simple game, screensaver, or utility—remains calm and ad-light. The connection earns money in the background, turning the TV into an unwitting participant in a proxy network. Trevor Sutter from Spur Intelligence explained, "Smart TVs are almost ideal proxy hosts. They sit on the same home network as everything else, but they do not feel like computers, so people rarely audit them like computers."

The proxy software asks permission a single time, typically during app installation or first launch. All three prompts observed in the dataset state that the proxy keeps running after the app closes. For example, a Bright Data prompt in a game called Galactic Harmony offers ad-free play in exchange for letting the company use the device's IP address for web indexing. A Pac-Man title on Tizen presents the same exchange. The consent is often buried in terms of service that users rarely read.

The publishers behind these apps include major proxy providers. Bright Data, Bright Data Ltd, and Bright SDK account for 367 proxy-flagged apps in the dataset. Honeygain UAB, a subsidiary of Oxylabs, shows up as the publisher on another 16 apps. Many of the apps are thin shovelware games, screensavers, and utility shells shipped at scale so the software has somewhere to run. The app serves as the wrapper; the residential IP address is the product.

Platform policies vary significantly. Amazon prohibits this category through its Device and System Abuse Policy, which bars apps that facilitate proxy services for third parties. Roku reportedly bars developers from using Bright SDK and similar services, and affected apps disappeared after the company was contacted. However, LG and Samsung have yet to publish an equivalent policy, and the same business model continues to appear at scale on webOS and Tizen.

The risk to home networks is substantial. A TV app acting as a proxy runs inside the home network. If a provider permits requests to private or local addresses, or if filtering fails, the device can reach router admin panels, NAS devices, printers, cameras, and developer machines. The Bright Data sample ships with a blocklist covering private ranges including 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. However, the local Massive and Honeygain/Oxylabs samples lacked a comparable private-range blocklist. The provider's filtering and customer vetting form the boundary, and the device owner lacks any means to verify it from the TV.

Vendors responded to the research. Bright Data said consent and independent audits separate a legitimate network from a harmful one, and that it approves use only for verified business, research, and journalistic purposes. Massive said its network users pass a Know Your Customer process and that its technical controls operate server-side. Oxylabs said it restricts access to private and local ranges through filtering, traffic inspection, and blocklists. Sutter concluded, "The proxy providers contacted for this research emphasized customer vetting, traffic restrictions, and abuse-prevention controls. Those controls may reduce risk, but they do not change the underlying reality that residential proxy infrastructure is being embedded at scale in devices that most consumers do not recognize as participating in such networks."