Spotify says it has fixed a problem in its software that let rogue adverts automatically open virus-infected websites on a victim's device.
The so-called malvertising affected Spotify's subscription-free service on Windows, Mac and Linux machines.
People reported that virus-infected pop-up websites were appearing while they listened to music.
Spotify said in a statement: "We have now identified the source of the problem and have shut it down."
It said "questionable website pop-ups" had affected a "small number of users".
Cybersecurity experts have warned that malvertising is on the rise, because the scale of popular advertising networks can be misused to push malicious content to a wide audience.
"Malvertising can slip onto any platform or website that displays ads delivered by advertising networks," said Jan Zika of antivirus firm Avast.
"While malvertising is usually hosted on sites that provide illegal content such as movie downloads, it does occasionally make its way on to more mainstream platforms, such as Spotify.
"Users should install antivirus software that will catch malvertising before it can do any harm."
It is not the first time Spotify has inadvertently distributed malware-infected content through its advertising network. A similar issue affected the software in 2011.
Other prominent companies have also been targeted.
"We've seen an increase in malvertising of this kind," said Rahul Kashyap of the computer security company Bromium.
"Malware via ads provides great return of interest for the attackers and are difficult to be reliably blocked at the ad launch."
The company said it had found that more than a quarter of the world's 1,000 most visited websites had delivered malware through malicious advertisements in 2015.
Spotify said it would "continue to monitor" advertisements in its software.