Spotify, the popular streaming music service, has been displaying malicious advertisements to users of its Free version, warns security firm Websense.
The ads lead to websites that use the Blackhole Exploit Kit to infect users with the Windows Recovery fake anti-virus (AV) application.
Malvertising is nothing new, but this case is slightly different, says Patrick Runald, of Websense Security Labs.
Usually malicious ads are displayed as part of a website and viewed with the browser, but in this case the malicious ad is displayed inside the Spotify application. It also appears to be targeting only users in the UK and Sweden.
"This means that it is enough that the ad is just displayed to you in Spotify to get infected, you do not even have to click on the ad. So if you had Spotify open, but running in the background, listening to your favourite tunes, you could still get infected," according to Runald.
Once the ad is displayed, it connects to hxxp://uev1.co.cc, where the exploit kit tries several vulnerabilities, including a vulnerability in Adobe Reader and Acrobat to infect the user.
The IP address where the malicious content is hosted is well-known, and Websense Security Labs has seen it host the same exploit kit on other domains.
The fake AV installs a rootkit, a type of malicious software that only four out of 43 antivirus engines detect, according to Virus Total.
Spotify removed all third party ads in the free version while it carried out an investigation, but the ads have now been turned back on, said Websense.