Bright Data SDK turns apps and smart TVs into scraping proxies

Include Security and independent researcher Buchodi published a technical analysis on June 5 that reverse-engineered Bright Data’s iOS SDK. The analysis found the SDK can turn free mobile apps and always-on smart TVs into exit nodes that fetch web pages for Bright Data customers using the device’s internet connection and the user’s home IP address.

The analysis shows the SDK contacts Bright Data servers and receives instructions to fetch pages from other websites. The peer channel that carries scraping jobs lacks standard authentication. On iOS the SDK’s traffic can bypass a configured VPN and may not appear in common app-monitoring tools.

The SDK can run in the background while a device is in use, for example during a call or while a TV is on, provided battery level allows. Smart TVs are highlighted as practical relays because they are usually plugged in, on fast connections and often left idle.

The SDK is embedded in free apps and presented behind an opt-in consent screen. The analysis notes those consent messages often understate the scope of activity the SDK permits. In one Roku app, Petflix, an opt-in message said the app would use the device and its connection “occasionally,” while SDK settings allowed up to 200 GB of traffic per month. In some countries the limits are set higher and the relay can run until battery is nearly drained. The SDK can also link a person’s phone with other devices that run the same company’s apps.

Bright Data, the successor to the Luminati proxy service, markets a residential proxy network it says includes more than 400 million residential IPs and a consent-sourced pool of over 150 million IPs. The company publishes a public list of app partners that has included PlayWorks Digital, CloudTV and Longvision; the analysis emphasizes that appearing on the list indicates a past relationship and that each app must be checked individually.

Platform vendors have restricted background proxy SDKs. Bright Data removed its SDK from Google, Amazon and Roku platforms, while its partner list still shows support for Samsung’s Tizen and LG’s webOS.

The report lists domains the SDK uses to receive instructions: proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com and clientsdk.brdtnet.com. Blocking those domains at the router with tools such as Pi-hole or NextDNS will prevent a device from acting as a relay without affecting Bright Data’s paid infrastructure, which uses different addresses. Organizations that manage employee phones are advised to scan devices for apps that contain the SDK. On mobile data the relay traffic can bypass corporate Wi-Fi blocks. The report notes Bright Data could change the SDK’s connection methods over time, which would require updates to blocklists and detection tools.