Mozilla and Microsoft distrust TrustCor certificates due to suspicions over covert spyware operation

Why it matters: The chain of trust ensured by Certificate Authorities (CA) keeps the web safe and internet companies happy. However, when the chain breaks, a CA can suddenly become an unwelcome guest within the most popular web browsers.

Mozilla, Microsoft, and likely other browser makers have started to take action against TrustCor, a Certificate Authority (CA) issuing root certificates for billions of internet-connected devices. According to recent investigations and the company's own words, TrustCor is working --- or has worked --- with another entity doing business in the spyware space.

The potentially shady nature of TrustCor's business emerged in a discussion on a Mozilla mailing list, where Joel Reardon, a professor at the University of Calgary, shared his findings about a spyware SDK hidden within some Android apps. These apps were downloaded more than 46 million times and included a speed camera radar, a Muslim prayer app, a QR scanner, and more.

In early November, Reardon revealed that Panama-based Measurement Systems was the company that created the spyware SDK. Later investigations unveiled ties between Measurement Systems and a defense contractor doing some cyber-warfare work for the US government. On top of that, Measurement Systems seemed related to TrustCor, with both companies registered in Panama and sharing the same corporate officers.

Furthermore, TrustCor operates an email encryption service named MsgSafe. A beta version of MsgSafe contained the only known unobfuscated version of the Android spyware made by Measurement Systems. A TrustCor representative joined the Mozilla discussion, providing further information but no clear answers to the company's involvement with the spyware business.

In the end, a few key points emerged: Measurement Systems and TrustCor had some relationship, at least until 2021, and one developer hired by TrustCor had access to an unobfuscated version of the source code of Measurement System's Android malware. Even though there was no evidence that TrustCor abused its CA position by issuing potentially malicious TLS certificates, Mozilla said the company didn't answer its most pressing concerns regarding TrusCor's trustworthiness.

So Mozilla decided to remove TrustCor certificates from the Firefox browser starting November 30. Microsoft had already set a distrust date for November 1, TrustCor executive Rachel McPherson revealed, while Apple and other browser companies could follow soon.