Mozilla's lawyers are sending a nasty gram to a U.K. company that writes spyware for government snoops.

The problem is that FinSpy masquerades as FireFox on the PC, according to researchers at The Citizen Lab, a University of Toronto-backed project that investigates technology and human rights. That violates Mozilla's trademark, the browser-maker said in a statement. "As an open source project trusted by hundreds of millions of people around the world, defending Mozilla's trademarks from this abuse is vital to our brand, mission and continued success."

Mozilla says it's sending the U.K. company that makes FinSpy, Gamma International, a cease-and-desist letter later today "demanding that these practices be stopped immediately." Gamma International couldn't immediately be reached for comment. FinFisher is the name of Gamma's command and control server software that collects the surveillance data. It also makes FinSpy, the spyware that runs on the PC.

Morgan Marquis-Boire. Photo: Courtesy Brandon Downey

Gamma International markets its software as a "remote monitoring" program that government agencies can use to take control of computers and snoop on data and communications. In theory, it could be legitimately used for surveillance efforts by crime fighting agencies, but in practice, it has popped up as a spy tool unleashed against dissident movements operating against repressive regimes.

Citizen Lab researchers have seen it used against dissidents from Bahrain and Ethiopia. And in a new report, set to be released today, they've found it in 11 new countries: Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, and Austria. That brings the total number of countries that have been spotted with FinFisher to 36.

To date, Citizen Lab researchers have found three samples of FinSpy that masquerades as Firefox, including a "demo" version of the spyware according to Morgan Marquis-Boire, a security researcher at the Citizen Lab, who works as a Google Security Engineer. Marquis-Boire says his work at Citizen Lab is independent from his day job at Google.

They found that when they right-clicked on the executable that contained the spyware and opened up the Windows "Properties" dialog box it contained information that was often identical to Firefox.

A FinSpy "properties" box compared to a similar Firefox box. Screenshot: Citizen Lab

They also discovered similar samples used to target computers in Bahrain and Malaysia, Marquis-Boire says. It's common for illegal malicious software to pretend to be a legitimate program, but FinSpy is different.

"What's interesting in this specific case is we have something which is malware, doing what malware does, but it's a commercial company that's selling it," he says. "So that's where it gets interesting. You can actually say, 'Hey can you guys knock it off.'"

"It's important to note that the spyware is not connected with any Mozilla product, including Firefox, in how it is installed or operates on a person's computer or mobile device," Mozilla said in its statement. "Only our brand and trademarks are used by the spyware as a method to avoid detection and deletion."