Mozilla to FinSpy: stop disguising your "lawful interception" spyware as Firefox

The Mozilla Foundation has sent a legal threat to Gamma International, a UK company that makes a product called "FinSpy" that is used by governments, including brutal dictatorships to spy on dissidents. FinSpy allows these governments to hijack their citizens' screens, cameras, hard-drives and keyboards. Gamma disguises this spyware as copies of Firefox, Mozilla's flagship free/open browser.

Gamma International markets its software as a “remote monitoring” program that government agencies can use to take control of computers and snoop on data and communications. In theory, it could be legitimately used for surveillance efforts by crime fighting agencies, but in practice, it has popped up as a spy tool unleashed against dissident movements operating against repressive regimes.

Citizen Lab researchers have seen it used against dissidents from Bahrain and Ethiopia. And in a new report, set to be released today, they’ve found it in 11 new countries: Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, and Austria. That brings the total number of countries that have been spotted with FinFisher to 36.

To date, Citizen Lab researchers have found three samples of FinSpy that masquerades as Firefox, including a “demo” version of the spyware according to Morgan Marquis-Boire, a security researcher at the Citizen Lab, who works as a Google Security Engineer. Marquis-Boire says his work at Citizen Lab is independent from his day job at Google.

Mozilla Takes Aim at Spyware That Masquerades as Firefox [Robert McMillan/Wired]


  1. Seeing dirtbags like this operate out of a western democracy is ridiculous.  It’d be great seeing these people have to actually live under the regimes they’re backing.

  2. I’d like to see them release a detection tool and cause real problems for these companies and governments. “Genuine Firefox.”

    1. You don’t want to jump into the deep end of that particular pool.

      The big AV players, with the substantial paying customer bases and whatnot, are(at best) ‘barely holding the line’ against generic opportunistic money-grubbing viruses and trojans. They are functionally useless against the ‘advanced persistent threats’ and customized payloads that everybody goes on about these days.

      The situation with state-sponsored attackware is probably incrementally worse because it’s mostly used as a targeted-and-customized payload against targets, and because some AV vendors probably whistle innocently and look the other way when it shows up.

      If the Mozilla Foundation devoted 100% of its resources to the problem, they’d probably still only reach the ‘providing some detections, and some false sense of security, for a fairly small number of people’ stage, which isn’t terribly useful.

      Malware detection is a Hard problem.

      1.  It doesn’t have to be malware detection— just Firefox detection (to check that it’s real). A careful use of hashing would be a first step…

        1. FinSpy, to the best of my knowledge, doesn’t act like firefox, it’s a piece of spyware that runs in the background and grabs data system-wide, it merely (in some variants) includes various bits of metadata that are designed to make the process it runs as look like an instance of Firefox.

          While validating the integrity of the browser is always nice(since there is a class of malware that hooks in there, since it’s a relatively soft target and also something that a lot of fun data passes through), Firefox would check out as, and be, 100% authentic on a system infected with FinSpy(in fact, things would be even worse because the existence of a firefox-related process would be a lot more plausible).

    1. Given that UA strings are very well known within the relevant circles, it’s hard to see that as ‘deceptive’ for trademark purposes.

      Perhaps more importantly: Going down the path that “UA strings are under legal obligations” would be a…bit of a phyrric victory. So, Microsoft changes from “Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1” to “It’s IE 10, take it and like it”, and UA spoofing is now a violation of the CFAA…

      1. Well, the claim that IE 6 is compatible with anything whatsoever is demonstrably false, at any rate.

        1. Except, of course, an alarming number of wildly expensive enterprise intranet portals, the poor bastards…

          This is why Windows 2277: Brainstem Premium Edition, will still have an IE6 compatibility mode.

  3. It’s a bit sad; but this might actually be the most illegal part of what Gamma is doing.

    Selling dangerous tools to known malefactors is, if done suitably professionally, apparently legal.

    Trademark violations, though? Intellectual Property is Serious Business…

    I’d be delighted to see Gamma go down, of course; but the fact that trademark violations are probably less legal than hunting down dissidents is… dispiriting.

  4. They appear to be copyright violators too – including GNU MP without providing notice to users of their rights under GNU LGPL.

  5. I’ll bet Gamma would throw down a cease-and-desist real fast if someone released software that identified itself as FinSpy.

Comments are closed.