The attack was reported by multiple users on social media throughout Wednesday morning. For most, it simply resulted in pop-up windows opening, but a few users reported attempted malware installations further down the chain.
In response to a user question, Spotify confirmed the reports. “We’ve identified an issue where a small number of users were experiencing a problem with questionable website pop-ups in their default browsers as a result of an isolated issue with an ad on our Free tier. We have now identified the source of the problem and have shut it down. We will continue to monitor the situation.”
Malvertising has hit some of the biggest websites, including Yahoo, the New York Times and the BBC. The issue comes because most large sites sell advertising space through third-party resellers, who pull in code for the adverts on the fly based on an open auction. If malicious code can be smuggled on to the ad server, it can often be sent to multiple sites at once.
The rise of malvertising has been a key driver in the use of ad-blocking software, which can prevent the adverts being loaded in the first place. But in-app adverts, of the sort that Spotify uses, are harder to block. Another alternative for users annoyed by Spotify adverts: sign up for the service’s premium tier, at £9.99 a month.