We have discovered a vulnerability that affects versions of the Spotify app for Android older than 1.1.1. If exploited, the vulnerability can allow bad guys to control what is being displayed on the app interface. This vulnerability can be potentially abused by cybercriminals to launch phishing attacks that may result to information loss or theft.
- Has Spotify Free Fixed The Malware Software
- Has Spotify Free Fixed The Malware Free
- Has Spotify Free Fixed The Malware Protection
Operating System. Spotify latest version apk. Windows 10 64Bit. My Question or Issue. I've been using Spotify app for a while now, with no issues, two days ago, I loaded up the Spotify Web Player to see if it was easier to add/delete playlists etc. Ever since then, I have.
- There's something pretty alarming going on right now with Spotify Free. This started a several hours ago. If you have Spotify Free open, it will launch - and keep on launching - the default internet browser on the computer to different kinds of malware / virus sites. Some of them do not even require user action to be able to cause harm.
- According to Spotify, they have a team working to investigate the issue. However, at the time of publication, there does not appear to be a solution to the problem. If you’re using the free version of Spotify on your desktop, it might be a good idea to stop using it, and uninstall it, until the problem with the malware-infected ads is fixed.
- Many Spotify users are complaining that its freemium service is infecting their browsers with malware. Last year, the music and video streaming giant Spotify was in the bad news when Russian hackers were suspected to have hacked some of its users’ accounts or when the company’s CEO Daniel Ek apologized for collecting private data of its users.
Spotify quickly responded to our discovery by fixing the flaw in the 1.1.1 version of the app. Users are encouraged to make sure they are using the latest version of Spotify for Android.
Affected Activity
The vulnerability affects a specific activity (com.spotify.mobile.android.ui.activity.TosTextActivity), which is designed to retrieve and show Spotify web pages on the app. The vulnerability causes the content of these exported web pages to be visible to other apps installed in the phone. Furthermore, the bug can allow a separate app, process, or thread to trigger the activity without the need for additional permissions.
Using a malicious app, an attacker can exploit this activity to alter the content being shown by the app to users. For example, we were able to show the Google home page on the Spotify app. Far more malicious pages can also be displayed within the app.
Figure 1. Official Spotify app displaying Google home page
Figure 2. “Malicious” page that could be displayed by the app
It should be noted that the malicious app can trigger and “minimize” the activity at will. If a user tries to stop the Spotify app by using the “Back” button, the malicious content will show up on the screen. Users who may not be overly familiar with the app might view this action as a normal routine for the app.
Has Spotify Free Fixed The Malware Software
Because potential attacks do not require additional permissions, users may not be aware of any suspicious activity that may arise from this situation. No additional permissions also mean that AV solutions and threat researchers may find it harder to detect and analyze malicious activity.
Potential for Phishing Attacks
Attackers may take advantage of this vulnerability to create phishing pages that ask for sensitive information such as user names, passwords, contact details, and even payment information. The latter is especially plausible considering Spotify offers both free and premium services. A well-crafted phishing page might cause users to assume that the request for financial information is part of a routine or process. A phishing page is often just the first step to other schemes. The stolen information could be used for other schemes such as identity theft, fraud, or even targeted attacks.
Cybercriminals may also create pages that will lead users to other threats such as malware. Because the vulnerability lies within the official app—compared, say, to a fake Spotify app—users will be prone to believe the malicious pages being displayed. These scenarios are similar to ones we previously discussed in our blog entry, Android App Components Prone to Abuse. Change spotify from web app to iphone.
Spotify has fixed the flaw in Version 1.1.1 of the Android app. We advise Spotify users to upgrade to that version or download the latest version to help protect themselves against this issue or visit the Google Play store to automatically get the latest update. At the time of publishing, the latest version is 1.1.2. Spotify desktop app not playing ads.
Has Spotify Free Fixed The Malware Free
As of this writing, we are not aware of any attacks using this vulnerability.
Has Spotify Free Fixed The Malware Protection
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: