Jump to content

Malwarebytes

From Consumer_Action_Taskforce
Malwarebytes
Basic Information
Release Year 2007
Product Type Software
In Production Yes
Official Website http://malwarebytes.com/

Malwarebytes is an anti-virus software for Microsoft Windows, macOS, ChromeOS, Android, and iOS, developed by Malwarebytes Corporation. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash-memory scanner.

Consumer impact summary[edit | edit source]

Malwarebytes Privacy VPN is a rebranded version of Mullvad VPN with privacy concerns. The main concern is that Malwarebytes Privacy VPN may compromise user privacy through its ambiguous data handling practices and ability to log user information, despite its no-logs promotion. This is a warning sign for users looking for genuine privacy and anonymity.

Controversies[edit | edit source]

This is a list of all consumer protection incidents related to this product. Any incidents not mentioned here can be found in the Malwarebytes category.

Privacy VPN[edit | edit source]

In April of 2020, Malwarebytes Labs introduced their Privacy VPN, emphasizing the importance of using a VPN that respects user privacy:[1]

One important note we consistently emphasize is that it’s important to choose a VPN that does what it promises and doesn’t abuse your data. To make that choice a little easier, we’ve developed our own VPN that Malwarebytes users can trust to protect your data and privacy every time you go online.

However, Malwarebytes VPN is based on Mullvad VPN and various open source tools,[2] and nothing is properly disclosed on the official website. On Mullvad site, Malwarebytes is mentioned as partner[3]. The software is based on open source code, used without contributing back:

These are the embedded dependencies:

Privacy Policy[edit | edit source]

Malwarebytes Privacy Policy contains various privacy concerning points:[2]

  • Operates under the EU Privacy Shield (declared illegal by the ECJ in July 2020)
  • The Data Retention section states:

    We will retain your personal information as needed to fulfill the purposes for which it was collected. We will retain and use your personal information as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our agreements. Because these needs can vary for different data types in the context of different products or services, actual retention periods can vary significantly.

  • The International: EU – U.S. Data Privacy Framework, UK Extension to the EU – U.S. Data Framework, and Swiss – U.S. Data Privacy Framework section violates the GDPR:

    Your personal information may be transferred to, and maintained on, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide your personal information to us, we may transfer your personal information to the United States and process it there.

Data collection[edit | edit source]

Malwarebytes is collecting the following data via its different products:[2]

  • A location item indicating the continent, country, city, and approximate latitude/longitude of the user based on the IP address
  • The type of connection (dialup/broadband/satellite/mobile)
  • The ISP through which the connection is made
  • The organization to which the IP address is licensed
  • The operating system the program is installed on
  • The system language in use on that system
  • The processor architecture (i.e., 32- or 64-bit)
  • The file system in use (i.e., FAT32)
  • Information from the Windows Security/Action Center, including security settings and programs installed or in use
  • Information about other Malwarebytes program settings and how they are configured
  • Information about the use of the software or services ("Log Data")

The Functional Data section of the privacy policy states:

We collect data that is necessary for the functionality of the software or for our performance of providing the software to you. For example, we may need to collect system processes and behaviors in order to perform system rollback and recovery operations.

Malwarebytes website also contains ads trackers and third party cookies.[7] Also, on each webpage, a seemingly harmless GIF file (https://genesis.malwarebytes.com/api/v1/wai.gif) is being loaded. The GIF returns JSON data, which is probably being used for fingerprinting.[2] Fingerprinting is a method to identify and track users uniquely based on the characteristics of their device and browser, which raises additional privacy issues regarding Malwarebytes' behavior.

See also[edit | edit source]

Link to relevant theme articles or products with similar incidents.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.


References[edit | edit source]

  1. https://www.malwarebytes.com/blog/malwarebytes-news/2020/04/introducing-malwarebytes-privacy
  2. Jump up to: 2.0 2.1 2.2 2.3 https://dustri.org/b/malwarebytes-privacy-vpn-is-mullvad-in-a-shady-trenchcoat.html
  3. https://mullvad.net/en/help/partnerships-and-resellers
  4. https://www.tenable.com/plugins/nessus/96874
  5. https://security.snyk.io/package/npm/openssl/1.1.0
  6. https://security.snyk.io/package/linux/centos%3A7/pcre
  7. https://themarkup.org/blacklight?url=malwarebytes.com&device=mobile&location=us&force=false
Retrieved from "https://wiki.rossmanngroup.com/index.php?title=Malwarebytes&oldid=9692"