Spotify Free is Serving Up Malware

Spotify Free is Serving Up Malware

Numerous users are flooding music streaming service Spotify’s Twitter feed, reporting that the freemium tier service has been hit with a malvertising attack.

Those running Spotify Free on the desktop are periodically seeing strange browser behavior, with malicious ads serve malware popping up unbidden.

As a post on the Spotify user forum explains:

“If you have Spotify Free open, it will launch—and keep on launching—the default internet browser on the computer to different kinds of malware/virus sites. Some of them do not even require user action to be able to cause harm.

I have 3 different systems (computers) which are all clean and they are all doing this, all via Spotify—I am thinking it's the Ads in Spotify Free. I hope this has been noticed and Spotify staff are fixing it—fast. But it's still puzzling something like this can actually happen.”

The Twitterati were quick to complain:

“Had a malware on my ubuntu desktop that kept opening random ads on my browser every minute. Luckily @Spotify client was easy to uninstall,” said @SamuNuutamo.

Users on Windows 10, Ubuntu and MacOS have all reported the issue.

@tarukalvi tweeted the customer service handle: “@SpotifyCares Yesterday the Spotify Free software started launching malware on my Mac's Safari on its own. Many have the same experience atm.”

For its part, Spotify responded in the user forum, saying that it has placed the issue under investigation.

Malvertising happens when bad actors hijack online ad networks, usually without the host site (in this case, Spotify) being the wiser. The malicious ads then redirect users to sites where exploit kits drop payloads ranging from ransomware to banking Trojans—often without user interaction. A malvertising attack was recently found to be mounted on the popular website, which receives 2 million visits daily. In that case, visitors who browse the knowledge-based website are exposed to fraudulent and malicious advertisements and could be infected with ransomware on a drive-by basis, without even having to click on an ad. 

“We've seen an increase in malvertising of this kind," said Rahul Kashyap, EVP and Chief Architect at Bromium. "Last year, our threat sensors found over a quarter of the Alexa 1000 websites were delivering malware via malicious advertisements. This is something that enterprises need to think about, as users see their desktops as personal devices. Threats like these will always find their way into the corporate network. Unless you completely lock down user’s desktops, which isn’t practical, you will always experience user-introduced vulnerabilities."

He added, “Instead of trying to change human behavior, companies should accept that users are always going to be the weakest link in the security chain. The trick is to contain the threat, so the enterprise isn't placed at risk. The ideal way to do this is to shrink the attack surface by isolating the endpoint so doing things like clicking on links or downloading documents is contained. Then, even if that action introduces malware, it can't go beyond that point."

Photo © Vdovichenko Denis/

Source: Information Security Magazine