Mozilla is pissed. The company sent a cease-and-desist letter to the makers of government spying software FinFisher, saying it is using Firefox’s branding to “lie and mislead as one of its methods for avoiding detection.”
Mozilla wrote a blog post about the issue yesterday, saying Gamma International, the creators behind FinFisher, are “tricking people into thinking” the spyware is FireFox by using “Firefox.exe” as FinFisher’s filename, as well as providing Firefox source code to anyone who looks at the underlying code. The company worked with Citizen Lab to determine the fraud, which found multiple accounts of this happening in the wild. This includes a spyware attacks in Bahrain and Malaysia as well as in a promotional demo of the spyware.
FinFisher is known in the security community as a surveillance product that governments buy to spy on specific targets. As Ars Technica notes, it’s rumored that governments also use it to spy on its own citizens. The United States, Australia, Britain, Canada, Germany, India, and many more are said to use FinFisher.
“As an open source project trusted by hundreds of millions of people around the world, defending Mozilla’s trademarks from this type of abuse is vital to our brand, our users, and the continued success of our mission,” Mozilla privacy and public policy lead Alex Fowler said in the blog post. “We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy.”
Mozilla assures people that the browser software itself has not been compromised and is in no other way associated with FinFisher. The company says that this isn’t the first time people have abused its brand, using it for malware schemes.