RC RANDOM CHAOS
privacycybersecuritysupply-chainpolicy

Half of LG smart TV apps ship hidden residential proxy SDKs, study finds

· via Hacker News

Original source

Nearly half of LG smart TV apps contain residential proxy SDKs

Hacker News →

Spur Intelligence Labs unpacked and scanned 6,038 LG webOS and Samsung Tizen apps and found 2,058 of them — roughly a third overall, and nearly half on LG — carrying confirmed residential proxy SDKs from Bright Data, Massive, and Honeygain/Oxylabs. The apps tend to be calm, low-friction things like fish-tank screensavers, clocks, and solitaire clones, which is the point: instead of monetizing with ads, they quietly route strangers’ internet traffic out through the owner’s home connection. TVs make ideal hosts because they stay plugged in and signed in for years, draw no battery, and are mentally filed as furniture rather than computers, so a one-time consent prompt clicked through during setup keeps paying out long after anyone remembers agreeing to it.

In many cases the proxy vendor is also the publisher — Bright Data and its variants account for 367 flagged apps, Honeygain UAB for another 16 — suggesting much of this isn’t legitimate software that happened to bundle an SDK but thin shovelware shipped purely as a home for the proxy. The real danger is that a proxied app runs inside the home LAN: if a provider relaxes or fails its filtering, the TV becomes a foothold to router panels, NAS boxes, cameras, printers, and dev machines. Spur points to January 2026 KrebsOnSecurity reporting on the Kimwolf botnet, which abused proxy nodes to tunnel into the local networks behind them. Bright Data’s SDK at least ships an explicit private-range blocklist, but Massive’s and Honeygain’s samples did not — meaning the only boundary is the provider’s own policy code and customer vetting, which the device owner cannot verify.

The platform picture is uneven. Amazon’s policy bans apps that facilitate third-party proxy services, and Roku reportedly bars Bright SDK and pulled apps using it, but LG and Samsung have drawn no equivalent public line — which is exactly the gap this business model is exploiting at scale on webOS and Tizen. Bright Data, Massive, and Oxylabs all defended their consent and KYC frameworks when contacted, but Massive conceded that minimal user visibility is by design, underscoring that enforcement, not technology, is what stands between ‘web indexing’ and a criminal’s VPN into your living room.

Read the full article

Continue reading at Hacker News →

This is an AI-generated summary. Read the original for the full story.