Spotify's „The sound of Malware“

Spotify serves listeners “The Sound of Malware”

Spotify, the freemium online music service, has been sending its users malicious and annoying advertisements along with the desired tunes on the desktop application for free users. The aggressive ads which were for a variety of scams, online-betting sites, and even porn services. Spotify's „The sound of Malware“ Listeners reported that the ads popped up and automatically opened without waiting for user consent. The dangerous ads hit devices running on Apple, Linux and Windows operating systems.

The free version of Spotify is supported by in-product ads

And this is where the problem originated. “Some of the usual ads are external like those for Rebook shoes. For those, you have to click on them and you are redirected to the ad coming up in your default browser,” said Oscar Anduiza, malware analyst at Avira. “But this time we had some aggressive ads that were spam and scams which automatically opened up in the browser without any user consent.”

Spotify's "Sound of Malware"

Premium Spotify users were spared, with the ads hitting just the free users.

Where do these malicious ads come from?

The outbreak of malvertising is believed to have originated at Spotify’s ad agency and not directly within Spotify. “Probably the ad agency made a subcontract with some other ad providers and it was these agencies further down the food chain that placed the ads with the extra presents – like the script that launched users’ browsers and redirected them to various spam and scam sites,” he added.

The outbreak shows the vulnerabilities to the global market for online ads – and will increase user interest in ad blockers. It’s not the first time that Spotify has been caught distributing dangerous ads to its users. In a previous malvertising attack back in 2011, most of the attacks happened in Sweden and UK. This time it happened around the world.

What exactly is malvertising?

Malvertising, or malicious advertising. is a type of online attack whereby the dangerous code or links are hidden within an online ad. Malvertising attacks have hit many major and reputable websites such as the New York Times. While some require the user to click to download the malware, some can do this without the victim’s participation.

Cut and run?

Looks like Spotify has responded by simply cutting out the suspect ads. “Some of the advertisements that should appear within the app on the black bar are now closed,” explained Anduiza. “I would say that they cut them directly.”

 

Were you affected by these malicious ads – or do you use an ad blocker?

This post is also available in: German

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.