Spotify managed to reveal a malvertising campaign last week, which was targeting its free users and trying to infect them with malware via annoying popup ads.
On October 4th, Tuesday, some users complained about the problem on the Spotify forums, which was the first sign that something was wrong. On the next day, similar complaints showed up on Twitter too.
According to the complaints, the Spotify client app was out of the blue opening a browser to a specific URL that showed a popup window. The popup was trying to trick the users into downloading a software package in which a piece of malware was hidden.
The complaints came from users using Mac, Linux, and Windows Os. The campaign, however, was affecting only users of the Spotify Free tier. The Free tier gives users the chance to listen to songs but only a limited set, with the trade-off that the company shows ads once in a while.
Luckily, Spotify managed to find and deal with the problem.
“We’ve identified an issue where a small number of users were experiencing a problem with questionable website pop-ups in their default browsers as a result of an isolated issue with an ad on our Free tier. We have now identified the source of the problem and have shut it down. We will continue to monitor the situation. If you see this issue again, please let us know the exact date and time in this thread.”
Of course, Spotify is not the first case of an online service being hit by a malvertising campaign and its free users have been affected in the past as well.
Even though ad-blocking browser extensions harm the online economy and the revenue stream of small websites, they are also the only known methods able to block online malvertising campaigns.
Unfortunately, even ad blockers can’t protect Spotify users. If the popups problem continues, the users will have to uninstall the Spotify client until the issue is fixed.