When I worked at Google I got to hear a number of "My friends site is being accused of hosting malware but I know these guys they don't do that!" and almost without exception, what had happened was that someone had compromised the web server, downloaded the images, re-compressed them with an image based exploit (sometimes changing them from gif to jpg in the process) and put them back on the site. To Grandma and her friends the site hadn't changed in years, except that now it was doing a drive by injection of malware.
I don't doubt for a minute that if someone figured out how to create a twitpic app that could inject malware into the images you shared, they would try really hard to get it on to your phone. How great a coup to have all eleventybillion followers check out your latest 'woah!' picture and spread the malware. Its a primo target.
I'm not defending Google here, I'm just saying that putting malware into images is a primary goal of any number of advanced persistent threat shops. Keep that in mind and make sure you keep an offline MD5 hash of every picture on your web site for validation.
If that's what's happening here, then the warning seems good for everyone.. except that the wording is defamatory.
Rather than accusing Twitpic of being "a known distributor of malware", it might be better if the message said something like "The site appears to be infected with malware. This warning will be remain in place until the malware has been removed."
The other big vector for tripping malware detection is 3rd party ad networks. When you have multiple parties outside your control that can inject arbitrary HTML and JavaScript into your page, all it takes is one bad advertiser.
I don't doubt for a minute that if someone figured out how to create a twitpic app that could inject malware into the images you shared, they would try really hard to get it on to your phone. How great a coup to have all eleventybillion followers check out your latest 'woah!' picture and spread the malware. Its a primo target.
I'm not defending Google here, I'm just saying that putting malware into images is a primary goal of any number of advanced persistent threat shops. Keep that in mind and make sure you keep an offline MD5 hash of every picture on your web site for validation.