Spotify ads hit by malware attack

Screenshot of bogus Windows Recovery software The vulnerability allowed bogus anti-virus software to be installed on the users machine without their knowledge or consent

Related Stories

Spotify has apologised to users after an advertisement containing a virus was displayed to some users of the music-streaming service.

The advertisement, which appeared within Spotify's Windows desktop software, did not need to be clicked on in order to infect a user's machine.

The exploit would install a bogus 'Windows Recovery' anti-virus program.

"Users with anti-virus software will have been protected," Spotify said in a statement.

"We quickly removed all third party display ads in order to protect users and ensure Spotify was safe to use.

"We sincerely apologise to any users affected. We'll continue working hard to ensure this does not happen again and that our users enjoy Spotify securely and in confidence."

The vulnerability only affects users with free subscriptions.

Security research specialists Websense said it received the first report of "malvertising" on the service at 11:30GMT on 24 March, noting that it used the Blackhole Exploit Kit - a tool for hackers - to carry out the attack.

Malvertising is usually confined to content viewed through web browsers, but this instance was displayed within the Spotify software itself for people with a free membership.

"The application will render the ad code and run it as if it were run inside a browser," explained Websense's Patrik Runald in a blog post.

Start Quote

If you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected”

End Quote Patrik Runald Websense

"This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself.

"So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected."

Avast! anti-virus said the majority of their users reporting infections were from Sweden (59%), while 40% of virus reports relating to the vulnerability came from the UK. The rest were from other countries.

One affected user told the BBC: "I hadn't clicked on any advert but it did appear to download itself at the same time as the first advert image popped up in the Spotify program.

"The virus then began popping up on my desktop, telling me that I had a critical hard drive failure and would need to restart.

"It won't stop me using Spotify but did cost me about six hours to figure out what had happened and restore everything back to normal."

Spotify, which is based in Sweden, has over ten million users, most of which use the free service.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

  • Cerro RicoSatanic mines

    Devil worship in the tunnels of the man-eating mountain


  • Nefertiti MenoeWar of words

    The woman who sparked a row over 'speaking white'


  • Oil pumpPump change

    What would ending the US oil export ban do to petrol prices?


  • Brazilian Scene, Ceara, in 1893Sir Snapshot

    19th Century Brazil seen through the eyes of an Englishman


Elsewhere on the BBC

  • SailingGame on

    BBC Capital discovers why certain sports seem to have a special appeal for those with deep pockets

Programmes

  • Prof Piot, the first person to indentify Ebola virusHARDtalk Watch

    Ebola expert warns travellers could spread the disease further if it is not contained

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.