You've heard about StageFright, right? Where a malicious MMS compromises an Android handset by exploiting vulnerabilities on the phone's mediaserver.
Are you aware that StageFright is not an MMS issue, but an issue with anything that will try to open a malicious MP4? If not, you are now, and I hope I am about to convince you even more thouroughly below...
Yes, for instance, StageFright occurs with Telegram. The only (fortunate) difference is that Telegram does not preview the MP4, so it will only crash if you open the video (manual intervention). This is still serious, because an attacker could be tricking you to open the malicious video and get a remote shell on your phone...
Figure 1. I just received the malicious video (PoC) inside the Telegram app
First, you receive the malicious video (Figure 1) on your Telegram account. Clicking on it will trigger StageFright: we get the crash log below (because this PoC does not exploit the vulnerability - it just crashes), while the phone merely complains it cannot play the video (Figure 2).
Figure 2. You get an error when you try to open the video. In reality, you are now compromised!
F/libc (21899): @@@ ABORTING: LIBC: ARGUMENT IS INVALID HEAP ADDRESS IN dlfree addr=0x2a057638
F/libc (21899): Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1), thread 21905 (Binder_1)
I/DEBUG ( 1198): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 1198): Build fingerprint: 'motorola/mb526_umts/mb526:4.2.2/JDQ39E/20130709:user/release-keys'
I/DEBUG ( 1198): Revision: '0'
I/DEBUG ( 1198): pid: 21899, tid: 21905, name: UNKNOWN >>> /system/bin/mediaserver <<<
I/DEBUG ( 1198): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad
I/DEBUG ( 1198): r0 00000055 r1 40f36858 r2 00000003 r3 deadbaad
I/DEBUG ( 1198): r4 400b9228 r5 2a057638 r6 40f36880 r7 400ac802
I/DEBUG ( 1198): r8 2a057640 r9 6d6f6f76 sl ffffffff fp 000002ff
I/DEBUG ( 1198): ip 00000000 sp 40f36880 lr 40098c29 pc 4007cfe8 cpsr 00070070
I/DEBUG ( 1198): d0 67756265643a6467 d1 0000000000000065
I/DEBUG ( 1198): d2 0000000000000072 d3 0000000000000064
I/DEBUG ( 1198): d4 006f006900640075 d5 3ff0000000000000
Similarly, StageFright can be triggered on WhatsApp too. It is just slightly more complicated, because by default WhatsApp lets you send only live video (it opens your camera, captures the video and sends it). It does not let you send a MP4 file (or does it? there is a media search menu but it couldn't find the malicious video on my SD card, but to be honest, I don't use WhatsApp - except for blog posts) . So, I resorted to using a WhatsApp add-on called WFS (WhatsApp File Sender) which hides the MP4 file in some audio stream. I sent the malicious MP4 that way, recovered the MP4 using WFS (Figure 3), and clicked on the video... crash logs at Figure 4!
Figure 3. Opening the malicious MP4 sent via WhatsApp
Figure 4. When reading the StageFright PoC sent through WhatsApp, the mediaserver crashes (as expected)
So, although both cases require manual intervention, I hope you are now convinced anything that reads a StageFright video can potentially compromise your phone.
-- the Crypto Girl