Over the past few days, reports on social media have indicated that Spotify Free has been causing random popup messages and browser windows to appear. The problem has been observed on Windows, Mac OS X and Linux systems, including on PCs that are essentially running a clean installation of their operating system.
In a post on Spotify’s community forums yesterday, user tonyonly detailed the malware users are facing. “If you have Spotify Free open, it will launch – and keep on launching – the default internet browser on the computer to different kinds of malware / virus sites.”
Some of the websites being displayed reportedly “do not even require user action” to infect computers and cause damage. There’s the potential for Spotify to cause significant virus attacks against its users’ machines. Spotify Premium users are not affected as the company only displays adverts in the free version of its client.
Spotify responded quickly to the reports and moved to investigate the compromised adverts. It now says the cause has been resolved, although it has not stated if it has implemented additional mechanisms to stop a similar issue re-emerging in the future. It attributed the malicious popups to an “isolated issue” with a single ad, according to a statement today.
“A small number of users have experienced a problem with questionable website pop ups in their default browsers as a result of an isolated issue with an ad on our free tier,” the company told TrustedReviews. “We have now identified the source of the problem and have shut it down. We will continue to monitor the situation.”
Malicious adverts are a common problem online. They can be used to hijack websites or a user’s computer. If an attacker can sneak an infected ad into a global distribution network, they have the potential to target millions of web users.
The security issues caused by interactive online advertising are a key contributor to the rising use of ad blockers. Ad blockers offer no protection when the adverts are being displayed outside of a web browser though. In this case, the only way users can protect themselves is by uninstalling the Spotify app, cutting themselves off from the malware and their music.
This isn’t the first time Spotify has been caught hosting malicious ads. Back in 2011, the company faced a similar issue. A rogue advert installed a fake anti-virus program onto computers based in the UK and Sweden. Spotify was quick to respond to the incident, banishing the malvertising within a few hours. It has taken the same approach to this week’s reports, although there’s no guarantee infected ads won’t return in the future.
