- What: Bright Data's SDK embedded in free apps converts smart TVs and mobile devices into residential proxy exit nodes that relay AI web-scraping traffic without meaningful authentication.
- Impact: Home connections and bandwidth are conscripted as commercial scraping infrastructure, with iOS traffic bypassing VPNs and devices allowed to relay up to 200 GB monthly while appearing idle.
- Fix / mitigation: Block SDK domains (proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, clientsdk.brdtnet.com) via Pi-hole, NextDNS, or enterprise firewall rules.
- Who's at risk: Consumers with smart TVs running apps from PlayWorks Digital, CloudTV, Longvision, and other Bright Data partners; IT teams managing BYOD mobile devices running SDK-embedded apps.
Security researchers have reverse-engineered the iOS SDK that Bright Data embeds in consumer applications, revealing how free apps are converting always-on smart TVs and mobile devices into residential proxy exit nodes for commercial AI web scraping. The SDK creates an unauthenticated peer channel that relays scraping jobs through users' home IP addresses, bypasses configured VPNs on iOS, and operates largely invisible to standard security monitoring tools.
Bright Data operates what it markets as the world's largest residential proxy network—over 400 million residential IPs—with a significant portion supplied by its SDK embedded in free consumer apps. The company advertises a consent-sourced pool of more than 150 million IPs, positioning itself as the legal alternative to hijacked botnet proxies while serving AI customers blocked by datacenter-based anti-bot defenses from Cloudflare and DataDome.
Technical findings: No authentication, VPN bypass, invisible traffic
The June 5 research from Include Security and independent researcher Buchodi documented that when an SDK-enabled app opens, it contacts Bright Data's servers, which deliver scraping instructions without meaningful authentication. The peer channel carrying those jobs lacks standard security controls—researchers describe it as weaker than protections typically built into malware command-and-control infrastructure.
On iOS devices, the SDK's traffic sidesteps configured VPNs entirely. Much of the SDK's activity does not appear in tools security teams normally use for app inspection. The device can continue relaying traffic in the background during video calls, screen-on activity, or while seemingly idle, pausing only when battery level drops below SDK-defined thresholds.
Connected televisions present optimal conditions for residential proxy operations: always powered on, connected to fast unmetered broadband, rarely monitored for network activity, and typically exempt from corporate security controls that govern laptops and phones.
The consent gap: 'Occasional' means 200 GB monthly
Opt-in screens presented to users do not accurately reflect SDK behavior. In the Roku app Petflix, the consent screen stated the device and connection would be used "occasionally." The SDK configuration file allows up to 200 GB of monthly traffic. In select countries including Uzbekistan and Oman, limits are set significantly higher, and devices are authorized to operate until battery reaches near-depletion levels.
The SDK can link multiple devices running apps from the same publisher—phones, tablets, computers—and treat them as a unified user pool. Bright Data publicly lists app partners on its website, including smart TV app developers PlayWorks Digital, CloudTV, and Longvision. Researchers emphasize that partner list inclusion indicates a business relationship existed at some point, not necessarily that current app versions contain the SDK.
From Hola VPN to AI-fueled demand
The business model is not new—only the scale has changed. Bright Data is the successor to Luminati, which originated from Hola VPN. In 2015, Hola was exposed selling free users' bandwidth as exit nodes through Luminati at $20 per gigabyte. The same architecture now runs on living-room set-top boxes, driven by AI industry demand for residential IPs that evade datacenter-blocking anti-bot systems.
Brian Krebs reported in October 2025 that botnet-sourced proxies like Aisuru were fueling large-scale AI data harvesting. Google dismantled the criminal IPIDEA proxy network in January 2026. Those operations hijack devices without consent; Bright Data presents an opt-in screen and positions consent as the dividing line. Whether that consent is informed and meaningful remains the central question.
Google, Amazon, and Roku have restricted background proxy SDKs following February 2025 reporting by Lowpass. Bright Data subsequently dropped those platforms but continues to list support for Samsung Tizen and LG webOS smart TV operating systems.
Detection and mitigation
The SDK's network traffic is straightforward to identify and block. For home networks, router-level DNS filtering tools like Pi-hole or NextDNS can block the primary SDK domains:
- proxyjs.brdtnet.com
- proxyjs.luminatinet.com
- proxyjs.bright-sdk.com
- clientsdk.bright-sdk.com
- clientsdk.brdtnet.com
According to the research, blocking these domains stops relay activity without affecting Bright Data's paid commercial proxy service, which operates on separate infrastructure. Enterprise IT teams managing employee-owned devices can scan for apps containing the SDK, though mobile carrier connections will bypass office Wi-Fi network blocks. Bright Data could modify SDK connection methods in future versions, requiring blocklist updates.
Risk assessment for IT teams
The immediate risk is not account compromise or data exfiltration from the device itself. The threat is bandwidth consumption, IP reputation damage from third-party scraping activity, and potential service disruptions if ISPs flag abnormal traffic patterns. For corporate environments with BYOD policies, employee devices running SDK-embedded apps on cellular connections will relay traffic invisibly to network security tools.
Smart TVs in corporate lobbies, conference rooms, or executive offices running free streaming apps represent unmonitored network endpoints. If connected to corporate networks rather than isolated guest Wi-Fi, these devices can relay scraping traffic through the organization's external IP, complicating threat attribution and potentially triggering third-party security alerts or blocklists.
Recommendations
- Implement DNS-level blocking of known SDK domains at the perimeter and on DNS resolvers
- Audit smart TVs and streaming devices for connectivity to corporate networks; migrate to isolated guest VLANs
- Include SDK-embedded app detection in mobile device management (MDM) app inventory scans
- Monitor egress traffic for residential proxy patterns: high-volume HTTPS to diverse destination domains from static internal IPs
- Review BYOD acceptable use policies to explicitly address bandwidth-sharing and proxy SDK prohibitions
- Educate users that "free" apps on smart TVs and mobile devices may monetize through background network usage
The research demonstrates that the line between consensual bandwidth-sharing and device hijacking is thinner than marketing claims suggest. As AI companies increasingly rely on residential proxies to circumvent anti-bot defenses, expect continued pressure on both botnet operators and SDK-based "legitimate" proxy providers. The technical controls to detect and block this activity exist today; the harder challenge is user awareness that clicking "agree" on a free TV app may turn their living room into commercial scraping infrastructure.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us