Couldn’t spyware be subverted by tunneling through a trusted MitM proxy?

Thats what big companies do. They break up tls connections and scan the content, with medium results. once the cryptotrojan is in, it doesn't need an channel out. The first generation had an small code that identified your strain. The developer just needed to decrypt it with his privatekey after payment and give you the decryptionkey.