Streaming music service Spotify has been displaying malicious ads to users of their Free version. The ads lead to websites that used the Blackhole Exploit Kit to infect users with the Windows Recovery fake AV application.


Patrick Runald, Websense Security Labs, comments: "Malvertising is nothing new, but this case is slightly different. Usually malicious ads are displayed as part of a website and viewed with the browser. In this case the malicious ad is actually displayed inside the Spotify application itself. This means that it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected."

Once the ad was displayed, the connects to uev1.co.cc where the exploit kit tries several vulnerabilities including a vulnerability in Adobe Reader/Acrobat to infect the user.

The IP address where the malicious content is hosted is well-known and the Websense Security Labs have seen it host the same exploit kit on several other domains.

The Fake AV installs a rootkit, a type of malicious software that is very hard to find ( virus total : only 4/43 antivirus engines detect it).

One interesting thing is that this appears so far to only target users in the UK and Sweden.

Spotify removed all 3rd party ads in the free version while they did their investigation but the ads have now been turned back on again.