Study reveals nearly half of LG and Samsung smart TV apps host residential proxy networks
While Amazon and Roku prohibit such practices, LG and Samsung have yet to establish public policies, leaving consumers’ local area networks potentially exposed to third-party traffic routing.
A recent audit by Spur Intelligence Labs has identified that nearly half of the applications scanned on LG and Samsung smart TV platforms contain residential proxy software development kits (SDKs). The study analysed 6,038 applications across LG’s webOS and Samsung’s Tizen systems, uncovering 2,058 instances of software that allows third parties to route internet traffic through users’ home networks. The flagged applications include screensavers, games, and utility shells, with some appearing to be first-party proxy inventory rather than standard consumer apps.
The findings highlight a significant divergence in platform governance. While Amazon’s Device and System Abuse Policy explicitly prohibits apps that facilitate proxy services for third parties, and Roku has reportedly barred developers from using similar SDKs, neither LG nor Samsung has established an equivalent public policy. This regulatory gap allows the practice to persist at scale on the two largest smart TV ecosystems, despite the potential risks to consumer privacy and local network security.
The primary providers of these SDKs were identified as Bright Data, Massive, and Oxylabs, which operates the Honeygain network. Bright Data accounted for 367 of the flagged apps, while Honeygain and Oxylabs were associated with 16. The study noted that in many cases, the proxy companies or entities using their branding appear to be the publishers themselves, distributing thin applications designed primarily to host the SDK. This model monetises the device’s internet connection in the background, often presenting users with a choice between watching ads or allowing their IP address to be used for web indexing.
Security concerns extend beyond the use of public IP addresses. If a proxy provider’s filtering fails or allows requests to private IP ranges, the smart TV can serve as a foothold for accessing local area network devices such as routers, network-attached storage, and cameras. The study found that while the Bright Data SDK included an explicit blocklist for private IP ranges, samples from Massive and Honeygain/Oxylabs did not show comparable local blocklists in the analysis. This reliance on server-side controls and customer vetting places the burden of security on the proxy provider rather than on technical safeguards within the device.
All three contacted proxy providers responded to the findings, citing customer vetting, know-your-customer processes, and server-side controls as risk mitigation measures. Bright Data emphasised its commitment to legitimate business use and independent auditing, while Oxylabs stated it restricts access to local network ranges through technical controls and third-party penetration testing. Massive highlighted its focus on user stability and minimal interface design. Despite these assurances, the study argues that a one-time consent prompt buried in a TV app is insufficient given the lack of ongoing user control and platform oversight.
