Researchers at threat-intelligence firm Spur Intelligence scanned 6,038 apps across LG webOS and Samsung Tizen and found 2,058—about 34 percent—embedded with residential proxy software development kits. The findings, published Tuesday, show that 42.5 percent of LG webOS apps carried proxy SDK code, compared with 26.9 percent on Samsung Tizen.
A residential proxy routes external internet traffic through a consumer device, causing web requests to appear to originate from inside a home network. In a TV app, the SDK runs in the background while the visible app—a clock, a screensaver, a simple game—displays normally. The device’s internet connection earns money for the SDK operator.
According to Spur, three proxy vendors account for the bulk of the flagged apps: Bright Data, Massive, and Honeygain, a subsidiary of Oxylabs. It found that Bright Data, listed under several publisher names, accounted for 367 proxy-flagged titles. In some cases, the proxy company itself appears to be the publisher—shipping thin screensavers and utility apps as vehicles for SDK distribution rather than as standalone products.
Consent prompts exist, but Spur’s analysis flags structural problems with them. All three SDKs ask once, at install time, and allow proxy traffic to continue after the app is closed. The Pac-Man app on Samsung Tizen frames the Bright Data SDK as the ad-free option—accept the proxy, skip the ads. The framing reduces the decision to a convenience trade-off while obscuring the network implications.
Amazon bars the category outright through its Device and System Abuse Policy. Roku has reportedly removed affected apps and bars developers from using Bright SDK. LG and Samsung have published no equivalent policy.
In January 2026, KrebsOnSecurity reported on the Kimwolf botnet, which reached more than two million Android devices—primarily TV boxes and smart TVs—by exploiting exposed ADB services through residential proxy networks.
KrebsOnSecurity described attackers using proxy access to traverse local area networks, reaching routers, NAS devices, cameras, and other equipment that was never intended to be internet-accessible.
Spur’s research notes that while the Bright Data SDK ships with a blocklist for private IP ranges, the Massive and Honeygain samples it analyzed did not include comparable local-network filters—meaning the actual boundary is the proxy operator’s server-side policy, not a technical control on the device itself.
The FBI issued a public service announcement on residential proxy networks in March 2026, warning that when criminal activity is tied to a consumer IP address, the device owner may face legal exposure even without any malicious intent.
As for Roku and Amazon, both have published statements saying that consumers running LG or Samsung sets have no platform guarantee that installed apps are not operating as proxy nodes.
Photo by Glenn Carstens-Peters on Unsplash
