For example gmail is on google.com, so is google drive, google transalte (I think this might be a big one), and various other services that host user content.

And code.google.com

Someone briefly had a pointer to http://www.google.com/safebrowsing/diagnostic?site=code.goog..., which includes:

> Malicious software is hosted on 23 domain(s), including sms-bomber.googlecode.com/, gdata-issues.googlecode.com/, infojob.googlecode.com/.

Don't forget:

sites.google.com wiki.google.com apps.google.com

This probably scanned Google's old Sites product; the equivalent of Geocities for the early '00's.

Since a couple of years, google redirects you when you click on a hit URL via google.com/something (you only notice this on a slow connection like an EDGE/2G network).

It might very well be that the malware scanner picked up a link to such a "redirector" which leads to malware and then took the TLD google.com for malicious.

Another reason why one should never ever host user-generated files (or links/redirects) on the primary domain. Github did this with github.io for the same reason.

I wonder if malicious plugins are modifying the page and injecting things? I've encountered ones that physically change Google results pages, it looks like the page came from Google but the results are from some scam network.

Ads?