Spyware and malware frequently try to trick you into thinking they're legitimate pieces of software so you'll agree to run them on your system. Spotify is not one of those malicious programs. While malware and spyware can try to attack your computer through Spotify, Spotify itself is not malware.
Spotify Is Not Spyware
Spyware is malicious software whose authors wrote the code with the explicit purpose of infecting computers and stealing data off their hard drives. Spotify is not spyware. You won't find any malicious code within its executable file so you shouldn't worry that the simple act of installing it will infect your computer with spyware or malware. However, malicious code could try and sneak onto your computer when you are using the free version of Spotify's service.
Spotify has to pay for the music it stream, and it has to get that money from you somehow. If you aren't paying for one of Spotify's subscription plans then it will run ads within your client for revenue. Ad buyers purchase advertising time and submit their own code for their spots. When it comes time for your client to display a particular ad, Spotify executes its code.
Most ads just contain the benign code for displaying an advertising spot. However, if a hacker takes out an advertisement and slips malicious code into its spot then Spotify will execute that code. You do not necessarily even have to click on the advertisement itself for the malicious code to execute and install itself on your computer. This kind of attack is commonly referred to as "malvertising." The attack is not unique to Spotify; any software that runs ad code submitted by advertisers is potentially susceptible to malvertising.
Securing Your System
The best way to defend against malvertising from Spotify, or any other software, is to keep your system up to date with security patches and protecting your computer with anti-virus software. Security utilities can catch malicious software that Spotify loads before they have a chance to attack your system, and keeping your system's security patches up to date will minimize the vulnerabilities any malware that slips through could exploit.