Last year, Malwarebytes launched a VPN service: Malwarebytes privacy:
[…] we've developed our own VPN that Malwarebytes users can trust to protect your data and privacy every time you go online. To that end, we proudly present: Malwarebytes Privacy. Most importantly, Malwarebytes Privacy does not collect user logs or telemetry data whatsoever. Your data remains private—even from us. As an added bonus, with over 180 servers in more than 30 countries, our VPN offers users the potential to view different, localized content around the Internet.
Techradar even said "This could be the most secure VPN around today".
Except that Malwarebytes Privacy is just some paint on top of Mullvad and various open-source tools, which would be a parasitic albeit fine behaviour if this was clearly disclosed (as Mullvad is (amusingly) doing on its website), but there is no mention of this whatsoever on Malwarebytes' one. Worse, they're using a possessive voice when talking about the servers (that are Mullvad's) and the code (mostly Wintun and wireguard-windows amongst other, to which they didn't contribute back a single line of code).
Speaking of code, it's shipping
7z.dllfrom 2018, licensed under LGPL, and some parts under BSD, violating this license.
wintun.dll, version 0.13, from the Wintun project, without mentioning it. Moreover, the binary is different from the one provided by Wintun, meaning it's not subject to the custom binary license, but is using the GPLv2! I of course sent an email requesting the source code.
Most of the embedded dependencies are from 2018, and subject to documented vulnerabilities:
It's also shipping its own kernel driver that really should get an audit. It's not as if writing a network-facing cryptographic-performing kernel-running driver was something horribly difficult in every way. Just check the documentation of the official Wireguard implementation for Windows for a glimpse into the amount of care and complexity involved.
At least the Mullvad app's code is public, and released under GPL.
- It's operating under the EU Privacy Shield (declared illegal by the ECJ in July 2020)
- Malwarebytes will "retain and use your personal information as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our agreements. Because these needs can vary for different data types in the context of different products or services, actual retention periods can vary significantly.", without giving more details.
- It's violating the GDPR in an explicit "lol fuck you" way: "Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide your personal information to us, we may transfer your personal information to the United States and process it there."
- Malwarebytes is collecting a ton of data via its different products, without
distinguishing between them:
- A location item indicating the continent, country, city, and approximate latitude/ longitude of the user based on your IP address
- The type of connection (dialup/broadband/satellite/mobile)
- The ISP through which the connection is made
- The organization to which the IP address is licensed, if any
- "we may need to collect system processes and behaviors in order to perform system rollback and recovery operations."
- The operating system the program is installed on
- The system language in use on that system
- The processor architecture (i.e., 32- or 64-bit)
- The file system in use (i.e., FAT32)
- Information from the Windows Security/Action Center, including security settings and programs installed or in use
- Information about other Malwarebytes program settings and how they are configured
- Information about how you use our software or services ("Log Data")
And collecting data they do, if only for licensing purposes, as quick look at
can tell us.
With things like interesting WMI queries:
0x180328270 SELECT Index, MACAddress, Name FROM Win32_NetworkAdapter where AdapterTypeId=0 0x1803282F8 SELECT SerialNumber FROM Win32_BIOS 0x180328320 SELECT UUID FROM Win32_ComputerSystemProduct 0x1803283E0 SELECT processorID FROM win32_processor 0x180328598 SELECT Signature FROM Win32_DiskDrive WHERE Index=%u 0x1803287F0 SELECT serialNumber FROM Win32_PhysicalMemory 0x180328870 SELECT SerialNumber FROM Win32_DiskDrive WHERE Index=%u
as well as virtual environment detection in
0x18006DCE0. There is also some
traces of Connectwise code, likely to manage
the licenses, supporting some old-school crypto like MD5 and SHA1 with
a home-brewed certificate validation.
tl;dr You'd be better off using Mullvad directly: it's the same price, without invasive telemetry and useless risky sugarcoating on top of it.
Bonus: Malwarebytes cares a lot about your privacy and consent, this is likely why, on every webpages of malwarebytes.com, a phony gif (https://genesis.malwarebytes.com/api/v1/wai.gif) returning JSON for fingerprinting purposes is sneakily loaded.