Security Experts:

Spotify Falls Victim to Malvertising Attack

People using the Spotify Free online music service have been served malicious advertisements that could automatically open a web browser and redirect them to malware-laden sites.

Spotify is a so-called freemium online music service that people can use to listen to music on multiple devices, including computers, mobile phones, tablets, and even TVs. Those willing to pay for the service enjoy the music at their own pace, but those who don’t pay are served ads that they can interact with.

Normally, a user would need to click on an ad to have it launching a web page in the browser, but some Spotify Free users recently noticed that the ads they were seeing were behaving differently. Specifically, the ads were launching a Web browser to open a website without user interaction.

“This started a several hours ago. If you have Spotify Free open, it will launch - and keep on launching - the default internet browser on the computer to different kinds of malware / virus sites. Some of them do not even require user action to be able to cause harm,” one user posted on the Spotify Community forum.

Other users reported similar behavior, and Spotify has already confirmed that the issue affected some of its users. They were “experiencing a problem with questionable website pop-ups in their default browsers as a result of an isolated issue with an ad on our Free tier. We have now identified the source of the problem and have shut it down. We will continue to monitor the situation,” Spotify said.

The incident is a perfect example of how malvertising campaigns can hit users through more than just websites. As long as a connected application can serve ads and cybercriminals are able to trick networks into accepting their nefarious ads, malvertising will happen. Attackers hide malicious code inside seemingly legitimate adverts, and users with vulnerable devices pay the price.

Malicious ads can be used not only to aggressively redirect users to websites they don’t want to visit, but also to download malware on their devices in what researchers call drive-by attacks. The user doesn’t even have to interact with the malicious ad, because the script hidden inside it does everything automatically.

Oscar Anduiza, malware analyst at Avira, also noted that the dead giveaway in this incident was the abnormal behavior of the displayed ads. “But this time we had some aggressive ads that were spam and scams which automatically opened up in the browser without any user consent,” Anduiza said.

He also notes that Spotify was right to act on the issue so fast, and that the service appears to have cut the suspect ads directly. “Some of the advertisements that should appear within the app on the black bar are now closed. I would say that they cut them directly,” Anduiza also said.

As always in situations where malvertising is involved, users can stay protected by keeping their applications and operating system updated at all times. They should also consider installing and maintaining an anti-malware solution for increased protection.

Related: Massive Malvertising Campaigns Hit Sites Worldwide

Related: Malvertising Campaign Hits Top Global Websites

view counter