malware is certainly a strong term, and generally the definition seems to include computer code, which would exclude installing a certificate.

However, once you have installed your own root CA certificate on a computer means you can read all HTTPS traffic originating from that computer, and fake responses. Likely, thanks to having installed that certificate you can read someone's emails, move money out their bank account, and view any files they have stored online.

The effect of installing a certificate is broadly similar to the effect of installing a keylogger, and in neither case have you been given a right to do so. In both cases you have altered someone's computer in such a way that you are able to read their encrypted communications, which is certainly in the spirit of what malware means to me.

I'm sure that the intent in this case was not malicious, but we would not accept software installing a keylogger because they wish to measure your typing speed, and we should not accept this.

>I'm sure that the intent in this case was not malicious

What other explanation is there? Is there a valid reason for an audio driver to silently install a CA cert?

As described above, some versions of Windows require drivers to be signed proving who made them. For this to work Windows needs a list of CAs trusted to issue the certificates. Whether "I am not paying somebody £100 for a cert" constitutes a valid reason is arguable. But that seems to have been their plan here.

"was needed in the days of Windows XP for a signed driver, is no longer needed" doesn't sound particularly overt, or malicious.