For example gmail is on google.com, so is google drive, google transalte (I think this might be a big one), and various other services that host user content.
Since a couple of years, google redirects you when you click on a hit URL via google.com/something (you only notice this on a slow connection like an EDGE/2G network).
It might very well be that the malware scanner picked up a link to such a "redirector" which leads to malware and then took the TLD google.com for malicious.
Another reason why one should never ever host user-generated files (or links/redirects) on the primary domain. Github did this with github.io for the same reason.
I wonder if malicious plugins are modifying the page and injecting things? I've encountered ones that physically change Google results pages, it looks like the page came from Google but the results are from some scam network.
