Your Smart TV Might Be Helping Hackers Attack Websites

Your Smart TV Might Be Helping Hackers Attack Websites

BotnetPrivacySmart TVAnti-ScrapingResidential Proxy

Sources:LWN + Lobsters + Spur.us + web research

On June 22, 2026, the security company Spur published an investigation. They scanned 6,038 apps across LG’s webOS and Samsung’s Tizen smart-TV platforms, and the results were unsettling: 2,058 of those apps had a residential-proxy SDK embedded — more than a third. LG’s platform was worse: nearly half of its apps were selling users’ home IP addresses in the background.

On the surface these apps are fish-tank screensavers, clocks, card games, puppy wallpapers. The screen shows a calm, uneventful scene, while the code underneath puts your network to work for someone else.

Smart-TV platform proxy SDK prevalence: nearly half of LG webOS apps embed proxy code ▲ Image source: Spur.us investigation. X-axis: platform; Y-axis: app count; red: apps with proxy SDK detected.

What is a residential proxy

To understand this, you need one concept. Every device on the internet has an IP address, and sites use it to judge where a visitor comes from. Traditional data-center server IPs are easy to flag — providers hold ready-made IP-range databases and can tell at a glance “this isn’t a real person.” So scrapers long ago gave up crawling directly from their own servers.

Their new approach: borrow ordinary people’s home network exits. This service is called a “residential proxy.” Your home broadband IP and your neighbor’s look identical — both are real residential addresses assigned by the telecom provider. A site seeing such a visitor can barely tell whether it’s a human or a machine.

Where do residential proxies come from? Two routes. The first is purely malicious: infect users’ computers or phones with malware and silently conscript those devices as proxy nodes. Earlier this year Google, working with the FBI, took down a botnet called IPIDEA, and later NetNut. LWN’s Jonathan Corbet noted in a July 10 article that after IPIDEA was shut down, scraper attacks on his site dropped noticeably for a month or two — then came roaring back.

The second route is “out in the open”: proxy companies provide an SDK (software development kit) that lets app developers embed a snippet of code into their product. When a user opens the app, a consent dialog pops up; once checked, the app can use the user’s network connection in the background to forward outside traffic. The developer gets paid, the proxy company gets a node, and the user gets a “free” or “ad-free” app. Bright Data is one of the most visible players here — it even offers a “free” VPN on the condition that the user agrees to become a node in Bright Data’s proxy network too.

Why the TV became the perfect proxy host

Run a proxy on a phone or computer and the user will eventually notice: the battery drains fast, the data bill spikes, the fan whirs. But a TV is different. Spur’s report has a precise description:

Smart TVs are nearly ideal proxy hosts. They sit on the same network as everything else in the home, but people don’t think of a TV as a “computer,” so they almost never inspect it the way they would a PC. No battery drain to notice, no data bill to spike, no suspicious background activity in an app switcher. A TV can sit plugged in, logged in, and online for years while its owner treats it as furniture.

This perception gap determines how meaningful the consent step is. When a user installs an app on their TV with the remote, the consent dialog is usually skipped in a hurry — the remote-control navigation is tiresome enough without reading every clause. More critically, these SDKs’ “consent” typically needs to be given only once: you click agree, and the proxy service keeps running in the background, even if you close the app or switch to another channel.

Spur’s researchers captured several typical consent screens. Pac-Man on Samsung’s Tizen was the most “honest”: it made users choose between two modes outright — either watch ads to play, or accept Bright Data’s proxy service to play ad-free. “Do web indexing using your network connection,” in their words. A classic monetization fork: your attention, or your IP — one of them has to be paid.

Pac-Man's consent screen on Samsung Tizen: watch ads or become a proxy node, pick one ▲ Image source: Spur.us investigation. Pac-Man lets users choose between “with ads” and “ad-free but sharing network connection.”

Who builds these apps

Spur’s research revealed a deeper pattern. In many cases, the proxy company is itself the app publisher. Bright Data and associated names accounted for 367 of the apps flagged as proxies. Honeygain (an Oxylabs subsidiary) appeared 16 times as a publisher.

This means many apps were never “normal apps that happened to bundle a proxy SDK.” They look more like “first-party proxy inventory”: shoddily made casual games, screensavers, tool shells, mass-published for the sole purpose of giving the SDK a place to run. The app is the wrapping paper; the residential IP is the product.

Why anti-scraping is starting to fail

The existence of residential-proxy networks makes the anti-scraping protections site owners deploy effectively useless.

Take Anubis. This open-source tool filters out scrapers that don’t execute JavaScript by requiring the browser to solve a “proof-of-work” puzzle before accessing the site. Since 2025, many sites battered by scraper attacks have deployed Anubis. LWN’s operator noted that LWN alone recently suffered the most intense scraper attack in its history — and thanks to the preemptive protection, most readers never noticed.

But here’s the question: is Anubis actually blocking malicious scrapers, or ordinary users who happened to disable JS? Developer Farid Zakaria gave a discouraging answer in his July 9 blog post: he had AI help him write a tool called anubis-fetch specifically to bypass Anubis, in very little time. For scrapers, solving Anubis’s puzzle is a one-time cost — the cookie can be cached and reused. For real users, every time they open a new site they wait a few seconds of spinning and CPU work, and each user waits their own, with no way to “amortize” it.

Zakaria’s post title is his conclusion: Who does Anubis actually stop? — the targets it meant to block slip right past it, while the real users it harms are the ones visiting with old phones, text browsers, or screen readers.

And residential proxies make the problem even more intractable. When a scraper is walking through your home TV’s IP address, the “visitor” the site sees is indistinguishable from your neighbor opening a browser. Block that IP and you block an entire real household’s internet access. LWN commenter splitbrain put it sharply: blocking residential-proxy scrapers takes one button and one cookie — no elaborate PoW needed. But the problem is — how do you know which IP has a TV working behind it?

The platforms diverge

Facing this situation, the TV platforms have split clearly in their stances.

Amazon’s Fire TV platform explicitly prohibits apps from providing proxy services to third parties in its device and system abuse policy. Roku, per Lowpass (reported via The Verge), has also barred developers from using Bright SDK and similar proxy services, and after being contacted by media, the relevant apps disappeared from the platform.

But LG and Samsung have yet to draw an equivalent public red line. Spur’s data shows the business model Amazon and Roku explicitly banned still exists at scale on webOS and Tizen.

At the end of LWN’s article, Jonathan Corbet wrote something that hits home: the industry behind these attacks seems utterly indifferent to blowing independent websites to rubble — as long as the data comes through. That attitude extends not just to websites but to the planet and its economy. Some oppose this thinking and will keep fighting. Maybe one day the world will decide to set a minimum ethical floor for LLM companies and their associated tech. But until that day comes, this behavior won’t stop, and we have no choice but to defend ourselves.

More than just scraping

One more dimension deserves serious attention: once an app gains proxy privileges inside your home network, the risk isn’t limited to “someone borrowing your public IP.” If a proxy provider chooses to allow requests to private or local addresses — or its filtering fails — that TV can become a jump point for attackers to enter your home LAN: router admin panels, NAS storage, printers, cameras, dev machines, and anything listening on a local port.

This isn’t hypothetical. In January 2026, KrebsOnSecurity reported a botnet called Kimwolf that used residential-proxy networks to pivot backward into the LAN of the proxy nodes and spread further.

My judgment: the essence of this attack-and-defense isn’t technical. The residential-proxy business model works because it outsources the question of “does the user know and consent” to app developers — and the incentive developers receive is money, not user safety. When a TV’s default identity is “furniture” rather than “connected computer,” and a single remote-control click can permanently authorize background proxying, the chain of responsibility throughout the system breaks.

Reference links:

  • LWN: An update on the scraper situation
  • fzakaria: Who does Anubis actually stop
  • Spur.us: Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs
  • Lobsters discussion (item?id=kpaxih)
  • Lobsters discussion (item?id=ktew3s)