Patrick Runald, Websense Security Labs, comments: "Malvertising is nothing new, but this case is slightly different. Usually malicious ads are displayed as part of a website and viewed with the browser. In this case the malicious ad is actually displayed inside the Spotify application itself. This means that it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected."
Once the ad was displayed, the connects to uev1.co.cc where the exploit kit tries several vulnerabilities including a vulnerability in Adobe Reader/Acrobat to infect the user.
The IP address where the malicious content is hosted is well-known and the Websense Security Labs have seen it host the same exploit kit on several other domains.
The Fake AV installs a rootkit, a type of malicious software that is very hard to find ( virus total : only 4/43 antivirus engines detect it).
One interesting thing is that this appears so far to only target users in the UK and Sweden.
Spotify removed all 3rd party ads in the free version while they did their investigation but the ads have now been turned back on again.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.