I’ve been following that and they would only add malware if I tell them to do so or if I stop using sourceforge to distribute the software ;). The only malicious thing currently concerting UrBackup are the download-button ads on the download page, but I think most people are able to avoid those (but it’s definitely not nice).
So I see no reason to hurry to another hosting provider. I’ll have a look if I can upload 400MB to GitHub releases and another look at how much self-hosting it would cost. I moved the auto-updates from my private webspace to sourceforge at some point because there were gigabytes of traffic and I don’t know how much falls under “unlimited traffic”.
The auto-update does indeed verify a signature which only I can create.