Malcious .jar files found on Google Code site for second time in weeks

Malicious malware has been found for a second time on Google Code’s site with malicious .jar files being hosted on the site and a simple virus scan uncovering the software.

Researchers at Zscaler found two instances of malware domains being hosted on the domain with “hxxp://update-java.googlecode.com/” and “hxxps://code.google.com/p/update-java/” both on the site.

“Using Google code to distribute malware seems to increasing in popularity, no doubt due not only to the free hosting provided, but also the positive reputation of the google.com domain. This indicates that there is presently inadequate validation performed by Google prior to content being uploaded to the Google Code site. In this case, a simple anti-virus scan would have found following pieces of malware,” commented Pradeep Kulkarni at Zscaler.

The two projects that are hosted on code.google.com are the brainchild of one uploader that had an email ID of “daicadad...@gmail.com” according to Kulkarni. He also suggested that hosting the malware was “the only goal” and that no attack was planned or imminent.

Kulkarni doesn’t give an exact date that the file turned up on the site and only explained that the “‘Download’ link indicates April 26 2013”, however, Zscaler’s own logs show “the same file being hosted on "hxxp://heckraiser.fileave.com/youtube/YouTube.jar" as far back as July 24, 2011.”

It becomes the second time in just weeks that Zscaler has identified malicious files being hosted on Google Code’s site with the research blog stating at the time that “no file hosting service is beyond reproach”.

"In the past, we have seen sites such as Dropbox, Google Code and other free hosting providers being leveraged to deliver malware. Free hosting providers, especially those with a positive reputation are becoming popular for attackers to serve malicious content. Enterprises and end users alike, should consider any third-party content, regardless of location, to be untrusted until it has been appropriately scanned,” Kulkarni added.

Image Credit: Flickr (voteprime)