Java Download and FLV Player Phishing Websites Serve Adware on Google App Engine

Aug 19, 13 Java Download and FLV Player Phishing Websites Serve Adware on Google App Engine

Our systems at Barracuda Labs scan millions of websites every day to detect domains that are serving malicious content. Beginning on August 5, 2013, our systems detected a website from the Google app engine server providing drive-by download adware to its visitors: [http]://, and on August 6, 2013, another similar website was found to serve the same adware: [http]:// Both sites are still active as of today (August 19, 2013).


(Updates: As of August 20, 2013, Google engineers had noticed and blocked these two phishing sites. )

The first website java-update[.]appspot[.]com presented a well-crafted page for a free Java download–very similar to the official Java download page from Oracle’s Java page. All links on this phishing website lead to a few redirects and finally trigger a download action for an executable file “Setup.exe”.  If a user tries to install this 289Kb executable file, it will break immediately by saying you do not have the minimum requirements. But in fact, a “Solimba AdWare” has installed into the system. See the VirusTotal analysis for this executable file here: 9 (out of 46) anti-virus vendors say it is a Solimba Adware.

Picture of phishing site java-update[.]appspot[.]com

The path of redirections are:

=> [http]://


===> [http]://

====> [http]://

=====> [http]://

Similarly,  the other site with the Google app engine domain [http]:// hoaxed visitors to install a media player by displaying a message saying “A Media Player Update is Required to View this Content”. Once a user clicks the download button, a chain of redirects started and finally a “Setup.exe” is downloaded; again this executable file is a Solimba Adware. Its VirusTotal analysis is here: 7 (out of 46) anti-virus vendors say it is a Solimba Adware.

Interestingly, this phishing site had updated its page last week to be nicer and more real to attract additional downloads.

Picture of  phishing page updateplayer[.]appspot[.]com on Aug 6th

Picture of phishing page updateplayer[.]appspot[.]com on Aug 10th


The path of redirections is similar but shorter:

=> [http]://

==> [http]://

===> [http]:// is the domain for the Google App engine and customers can register and host their websites there. The involved domains –, and – were privately registered with GoDaddy very recently, created on June 14, 2013, June 20, 2013, and July 17, 2013, respectively. The associated IP address of is (located in Amsterdam, Netherlands), which also hosts and has been reported several times for serving this adware.

As always, Barracuda Labs suggests Internet users to be very careful when clicking links on any websites, and do not install executable files unless extremely necessary. If installing a software is unavoidable, install an anti-virus software before installing anything else. Meanwhile, when buying any anti-virus or other software, go to local office stores (such as Best Buy, Staples, etc.) to get hard copies, or download them from famous vendor websites, such as,,, or, etc.




  1. Hey Jason,

    Thanks for catching this. Our internal systems have disabled these applications. Might not be a bad idea to get you guys in touch with some of the folks that run abuse prevention for Google’s Cloud Platform. Let me know if you’re interested.

    Chris Ramsdale

    Product Manager, Google Cloud Platform

    • Jason Ding /

      Sure, Chris, we’d like to contact to see if we can work something out.