Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs
Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs
We scanned 6,038 apps across LG and Samsung; 2,058 were selling your IP address. On screen, it’s a relaxing fish tank, a clock, solitaire, or puppies. But under the hood, it is a residential proxy: software that can send other people’s internet traffic out through your living room. And we found it everywhere. Smart TVs are almost ideal proxy hosts. They sit on the same home network as everything else, but they do not feel like computers, so people rarely audit them like computers. A TV can stay plugged in, signed in, and online for years while the user thinks of it as furniture.
Add a proxy SDK, and the app can keep looking calm while the TV’s internet connection makes money in the background. The background clause is the part that matters: all three prompts say the proxy can keep running after the app is closed. The app goes away. The proxy does not. This is not just a story about proxy companies convincing random app developers to embed a monetization SDK. In many cases, the proxy company, or something wearing its name, appears to be the publisher too. Bright Data, Bright Data Ltd, and Bright SDK account for 367 proxy-flagged apps in the dataset. Honeygain UAB (a subsidiary of Oxylabs) shows up as the publisher on another 16. Some of these are not normal apps that happen to have a proxy SDK inside them. They look more like first-party proxy inventory: thin shovelware games, screensavers, and utility shells shipped at scale so the SDK has somewhere to run. The app is the wrapper. The residential IP is the product.
Once a TV app can act as a proxy, the risk is not limited to someone borrowing your public IP address. The app is running inside your home network. If the proxy provider decides to allow requests to private or local addresses, or if their filtering fails, that TV becomes a foothold for reaching things that were never meant to be exposed to the internet: router admin panels, NAS devices, printers, cameras, developer machines, and other apps listening on local ports. This is not theoretical. In January 2026, KrebsOnSecurity reported on Kimwolf, a botnet that abused residential proxy networks to tunnel back into the local networks behind proxy endpoints. The Bright Data sample ships with an explicit private/local blocklist: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, 192.168.0.0/16, and 255.255.255.255. In the local Massive and Honeygain/Oxylabs samples, we did not find a comparable private-range blocklist. That makes the provider’s policy and enforcement the real boundary. If that boundary changes, breaks, or is abused, the same SDK that was framed as ‘web indexing’ can become a cybercriminal’s personal VPN connection into your home network.
Other TV platforms have already drawn a line. Amazon makes it explicit: its Device and System Abuse Policy prohibits apps that facilitate proxy services for third parties. Roku has reportedly shut the door too: Lowpass, syndicated at The Verge, reported that Roku bars developers from using Bright SDK and similar proxy services, and that Roku apps using the SDK disappeared after the company was contacted. LG and Samsung have not drawn an equivalent public line. The problem is not that residential proxy networks exist. It is that they are being embedded at scale in devices that most consumers do not think of as computers and are not equipped to audit. A one-time consent prompt buried in a TV app is not a substitute for meaningful transparency, ongoing control, and platform oversight.