New research by Include Security and independent researcher Buchodi has revealed how Bright Data, one of the world’s largest residential proxy providers, uses software embedded in free apps to turn users’ devices into internet relay points for web-scraping activities.
Bright Data, which claims to operate a residential proxy network of more than 400 million IP addresses, supplies these connections to customers, including businesses involved in AI training and data collection. According to the research, devices such as smartphones, computers, and even smart TVs can be used to route web-scraping traffic through a user’s home internet connection.
The findings suggest that when participating apps are installed, Bright Data’s software can receive instructions from company servers and use the device’s internet connection to fetch content from websites on behalf of third parties. Researchers also reported weak authentication controls within the SDK, VPN bypass capabilities on iPhones, and extensive background activity that may continue while users are actively using their devices.
A key concern raised by the researchers is the issue of informed consent. In one example involving a Roku app called Petflix, users were told their device and internet connection would only be used “occasionally.” However, the SDK settings reportedly allowed for traffic levels of up to 200GB per month, with even higher limits configured in some countries.
The report also highlights Bright Data’s published partner list, which has included smart-TV application developers such as PlayWorks Digital, CloudTV, and Longvision. Researchers note that inclusion on the partner list does not necessarily mean those apps currently contain the SDK, but it demonstrates past commercial relationships.
The business model itself is not new. Bright Data evolved from Luminati, which grew out of the controversial Hola VPN network. In 2015, Hola faced criticism after it emerged that users’ bandwidth was being sold through Luminati’s proxy network. Today’s version of the model appears to be driven largely by demand from AI companies seeking residential IP addresses that are less likely to be blocked by anti-bot systems operated by companies such as Cloudflare and DataDome.
Previous reporting by Lowpass, later syndicated by The Verge, drew attention to the use of smart TVs within residential proxy networks. More recently, security journalist Brian Krebs reported on the growing role of residential proxy infrastructure in large-scale AI data harvesting operations.
While Bright Data maintains that users voluntarily opt into the programme through consent screens, researchers argue that many users may not fully understand the extent to which their devices and internet connections could be utilised.
For users concerned about participating in such networks, researchers recommend blocking known Bright Data SDK domains using network-level tools such as Pi-hole or NextDNS. The domains identified include:
- proxyjs.brdtnet.com
- proxyjs.luminatinet.com
- proxyjs.bright-sdk.com
- clientsdk.bright-sdk.com
- clientsdk.brdtnet.com
According to the research, blocking these domains can prevent devices from acting as proxy relays without affecting Bright Data’s commercial services, which operate through separate infrastructure.