Mitigation also suggests blocking identified proxy domains at the router level and scanning managed devices for the SDK-bearing apps, while noting that mobile traffic can bypass certain blocks and the SDK could change its connection method.

Technical findings show the SDK fetches an unauthenticated config with feature flags and bandwidth limits, uses a peer tunnel that bypasses VPNs via NWConnection with requiredInterface, and maintains a continuous telemetry feed reporting device state for matching scraping jobs, with little to no strong message signing or attestation for the peer tunnel.

Idle and relay rules govern when a device can relay traffic, setting thresholds for battery, bandwidth, CPU, and memory; some regions impose aggressive limits, while others follow default rules.

Recommended detection and blocking strategies include DNS blocking of proxy-related domains, TLS SNI filtering for related domains, TLS fingerprinting, and enterprise-wide MDM-based app scanning to detect or quarantine installations containing the SDK.

A large residential proxy network marketed as 150M+ IPs operates via a consent-based SDK embedded in partner apps, turning consumer devices such as smart TVs into proxy exit nodes for AI data scraping.

A May notice to Bright Data outlines exposure and ongoing analysis, drawing on TLS-inspecting proxies and static/dynamic SDK analysis without a public response at posting.

The iOS brdsdk.framework establishes an unauthenticated config channel and a persistent WebSocket tunnel to proxyjs.brdtnet.com, enabling scraping traffic to appear as coming from the user’s residential IP.

On iOS, the scraping traffic can continue in the background and bypass VPNs even when the user is actively using the device, raising privacy and security concerns.

Cross-platform identity linking ties a user's iOS device to other installations of the same app across Windows/macOS, with HTTP/3 and QUIC expected for future peer transport.

A public manifest lists publishers and TV platforms that could monetize devices as proxy exit nodes, though presence in the manifest does not prove active production integration.

There is a consent gap: opt-in screens may misrepresent the SDK's actions, and some apps (such as a Roku app named Petflix) show usage that does not align with actual traffic allowed by the SDK.

The data plane peer tunnel bypasses VPNs while the control plane can be opaque to instrumentation, raising implications for enterprise security and parental controls.