InfoTech: Spotify targeted by "different" malware-carrying ads

A statement from the company says that an advertisement began to run on Thursday evening and it - and all other third party applications - had been disabled by Friday morning. Even so "a number of our Spotify Free / Open users in the UK, Sweden, France and Spain running Windows were targeted by a virus contained in an advert."

The free service is ad-supported. Paid-for versions do not carry adverts and so subscribers were not at risk.

There have been many instances of adverts being gateways to malware, often for products claiming to clean a PC of the very threat that they present. But the Spotify problem is different: users did not need to click on the advert - it ran within the Spotify application and downloaded malware as the ad was displayed, according to Websense Security Labs. Websense says "The application will render the ad code and run it as if it were run inside a browser. This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected." Worse: it's hidden below multiple layers: "One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file to make the infected computer download the fake AV software."

The danger is potentially huge as the principle may be exported to applications running within social networking websites where many users suspend the cynicism that they would otherwise have while visiting the broader web. That makes sense: many users rely on the reputation of the website they are visiting, often not noticing that third party content is imported as they view a page.