Firstly, I am no fan of JetPack. However ....
Is it spyware? Sort of. But so is WordPress itself since it includes externally hosted files and an API which phones home. If you don't like this sort of tracking, then you are probably using the wrong platform.
It is malware? No. It doesn't do anything malicious. It does what it says it does. I suspect what you call "malicious", the rest of us call "features".
And aside from all of this, the JetPack folks are a really nice bunch. If it were doing something "bad" then I'm confident they'd stop it.