Source linked

Over a Third of Smart TV Apps Are Your Home Network as a Proxy

spur.us@curious_deer3 hours ago·Cybersecurity·4 comments

Spur's scan of 6,038 LG and Samsung apps found 2,058 shipping residential proxy SDKs. These aren't just ad fraud - they're a backdoor into your LAN.

spurlg webossamsung tizenbright dataoxylabshoneygain

Over a third of the 6,038 smart TV apps Spur scanned across LG webOS and Samsung Tizen are running residential proxy SDKs that turn your living room into a traffic relay. That's 2,058 apps selling your public IP address while you watch a fish tank, a clock, or solitaire.

I've been saying for years that the least-audited computer on your home network is the one bolted to your wall. Now there's hard data.

Why TVs Are the Perfect Proxy Hosts

Smart TVs sit on the same LAN as your router, NAS, and security cameras. They don't have a battery to drain, no cellular bill to spike, no app switcher that flags background processes. Users treat them as furniture and never audit what runs after the screen saver fades in.

A TV can stay plugged in, signed in, and online for years while the proxy SDK quietly multiplexes strangers' traffic through your home connection. The user thinks they're looking at a digital painting. Under the hood, the app is a residential proxy endpoint.

The Consent Trick: Ask Once, Proxy Forever

Every proxy SDK Spur examined asks for permission exactly once, usually during initial setup. All three major SDKs (Bright Data, Honeygain/Oxylabs, Massive) include a background clause: the proxy keeps running even after the app is closed. The app goes away. The proxy does not.

Pac-Man on Tizen made the trade-off explicit: accept Bright Data's proxy SDK and the game becomes ad-free. Decline and you keep the ad-supported version. That's a clean monetization fork - watch ads or become part of the proxy network.

Who's Publishing These Apps? The Proxy Companies Themselves

This isn't just a story about developers embedding third-party SDKs. Spur found that Bright Data, Bright Data Ltd, and Bright SDK are the listed publishers for 367 proxy-flagged apps. Honeygain UAB, a subsidiary of Oxylabs, published 16 more.

Many of those apps are thin shovelware: screensavers, clock faces, simple utility shells. The app is the wrapper. The residential IP is the product. These look like first-party proxy inventory shipped at scale to give the SDK somewhere to run.

The Platform Gap: Amazon and Roku Say No, LG and Samsung Say Nothing

Amazon's Device and System Abuse Policy explicitly prohibits apps that facilitate proxy services for third parties. Roku reportedly shuts it down too - Lowpass (syndicated at The Verge) reported that Roku bars Bright SDK and similar services, and apps using them disappeared after Roku was contacted.

LG and Samsung have not drawn an equivalent public line. The same business model that Amazon bans and Roku blocks is still running at scale on webOS and Tizen.

The Real Danger: Not Just Your IP, Your Whole LAN

Once a TV app runs a proxy, the risk extends beyond someone borrowing your public IP. The app runs inside your home network. If the proxy provider's filters fail - or if they allow requests to private addresses - that TV becomes a foothold for reaching router admin panels, NAS devices, printers, cameras, and developer machines.

This is not theoretical. In January 2026, KrebsOnSecurity reported on the Kimwolf botnet, which abused residential proxy networks to tunnel back into the local networks behind proxy endpoints. Attackers used proxy access to reach devices on the same LAN as the proxy node and spread further from there.

The Bright Data SDK ships with an explicit private-range blocklist (127.0.0.0/8, 10.0.0.0/8, etc.), which is good to see. But the Massive and Honeygain/Oxylabs samples Spur examined did not contain comparable blocklists. The boundary between safe public-web traffic and a criminal VPN into your home network is enforced only by the proxy company's customer vetting, traffic filters, and internal rules. The device owner has no way to verify that boundary from the TV.

Spur's methodology is worth noting: they downloaded actual LG and Samsung app packages and unpacked them. That ground truth should worry anyone who treats their TV as an appliance. If your TV runs one of these apps, the only way to know the proxy isn't being abused is to trust the proxy company's word. I'd rather audit the device.

Source: Nearly half of LG smart TV apps contain residential proxy SDKs
Domain: spur.us

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
SonicWall Patch Fixed CVE-2024-40766 But Left the Real Attack Surface Unchanged

Audit of 14 patched SonicWall firewalls found 12 with stale local accounts, 11 without password rotation, and 9 where any AD user could VPN in.

WhatsApp Attack Uses ManageEngine as Backdoor, Hits 11 Countries

A phishing campaign uses compromised WhatsApp accounts to trick victims into running VBScript files that quietly install ManageEngine Endpoint Central, giving attackers remote admin access.

Attackers Abuse FortiGate Diagnostic Tool to Sniff Credentials at Scale

SOCRadar details how the FortiBleed campaign used a custom Golang sniffer, 36 enterprise GPUs, and FortiOS's own diagnostic command to steal authentication secrets from over 430,000 firewalls.

AMD Quietly Killed Memory Encryption on Ryzen - and Users Caught Them

After silently removing TSME from consumer Ryzen CPUs, AMD reinstates full memory encryption within days - because Linux users noticed what Windows couldn't.

Comments load interactively on the live page.