The so-called malvertising affected Spotify's subscription-free service on Windows, Mac and Linux machines.
People reported that virus-infected pop-up websites were appearing while they listened to music.
Spotify said in a statement: "We have now identified the source of the problem and have shut it down."
It said "questionable website pop-ups" had affected a "small number of users".
Cybersecurity experts have warned that malvertising is on the rise, because the scale of popular advertising networks can be misused to push malicious content to a wide audience.
Many companies use a third-party network to display ads in their software or on their websites.
It is not the first time Spotify has inadvertently distributed malware-infected content through its advertising network. A similar issue affected the software in 2011.
Other prominent companies have also been targeted.
"We've seen an increase in malvertising of this kind," said Rahul Kashyap of the computer security company Bromium.
"Malware via ads provides great return of interest for the attackers and are difficult to be reliably blocked at the ad launch."
The company said it had found that more than a quarter of the world's 1,000 most visited websites had delivered malware through malicious advertisements in 2015.
Spotify said it would "continue to monitor" advertisements in its software.