Security of video formats

Curioussecurity11

Greetings everybody,
I have a question about video formats,particularly the mp4 format.
1.How dangerous is downloading and running these types of files on graphene os phones or on any really?
2.Are we targeted more on the web when a website detects that we use graphene os or the vanadium browser?
3.How careful should I be with downloading this format in the terms of a zero day vulnerability?
Thank you for taking time of your day to read and perhaps answer!

de0u

Curioussecurity11 I think I've read about remote code execution vulnerabilities through the Mali GPU driver, which might well have been triggered by malicious MP4 files. The format isn't particularly more dangerous than other things, but it's generally wise to avoid viewing/downloading/executing anything from sketchy sources.

MP4 arriving via a Netflix subscription is probably fine, but MP4 arriving from a copyright infringement site, i.e., an entity not so worried about laws or reputation, might be less fine.

IDtheTarget

Ultimately it's not the mp4 that's executing the code, it's the app in which you're viewing the mp4. For instance, let's say you're using vlc to watch your mp4 videos. Let's further say that the version of vlc you're using has a bug that allows some form of vulnerability, like a buffer overflow. Next, say that a malicious actor knows about this vulnerability and crafts/modifies an mp4 in such a way as it takes advantage of that vulnerability to download malware to install on your phone. Then you download and watch the mp4 and get infected.

This isn't as far-fetched as it may seem at first. Various commercial entities purchase zero-day exploits in order to update their malware for sale to criminal and government actors.

Really, there are only three things I can think of to keep you safe from this type of scenario:

Use a phone OS like GOS (which I'm assuming you're already doing, since you're on this forum). The developers of GOS go to great lengths to secure the OS to not only reduce the likelihood of initial compromise, but also to reduce lateral movement if a compromise does occur.
(As mentioned above) restrict your downloads to only trusted sites. That's not a fix-all, I've seen compromises come from trusted sites. But it significantly reduces the attack surface.
Keep everything updated (OS/apps/etc.). (This implies that you only use apps that are still being maintained.) Typically these types of compromises happen when the app/library developer doesn't yet know about the exploit, when it's still a zero-day vulnerability. Once the developer knows, they (usually) rapidly release a patch removing the vulnerability.

Hope this helps!

Curioussecurity11

IDtheTarget
This is very insightful thank you,how would one of those most popular Instagram download sites(not sure if I am allowed to post links),fair in this regard?
Also would us using vanadium perhaps lure the same entities to with maybe the use of automations,upon detection flip a file that is malicious?
And also I know screen recording is almost a bulletproof way of getting the same videos,but I already made a bad call.
Sorry if this is all a bunch of speculations and have a nice day!

de0u

Curioussecurity11 Instagram the company has every incentive to keep malicious content out. The motives of any person or organization dedicated to hosting supposed Instagram content against the wishes of Instagram and Instagram members are less clear.

ryrona

de0u Also, I suspect they routinely transcode video, which is somewhat likely to remove malicious format errors.

Yeah, they definitely reencode the video entirely. All serious video hosting services do, because users upload things in all kinds of weird and non-standard formats that might cause playback issues for some visitors otherwise. Some might even upload a several gigabyte large 30 second long video in insane resolution. Users cannot be trusted, so everything is reencoded.

Curioussecurity11 how would one of those most popular Instagram download sites(not sure if I am allowed to post links),fair in this regard?

I think both Facebook and Instagram host the video files in a way that is very easy to fetch, so most downloaders would just find an absolute link to the video file on Meta's own domains, and let you download it directly, instead of them hosting infrastructure to download files, reencode files, and then serve files to you. You should be able to check the URL of any download you start. If it is on Instagram's domain or other Meta owned domain, the files are definitely free from exploits and safe to play.

I wouldn't expect a zero-day compromise even from a shady downloading service, unless there is reason to specifically target you, eg because what you download is illegal or because the content is likely to be downloaded by activists. Zero-days are hugely expensive, and the more times it is served, the bigger the risk it gets detected and patched in a software update.

Definitely keep your system up-to-date though.

Curioussecurity11

de0u
I guess you could put it that way but I would argue that instagram is way worse and has more resources(closed source).
But I guess this is all speculation,thank you for the answer though!

de0u

Curioussecurity11 Regardless of one's opinion of Instagram the company or the content they host, the company has an address and a reputation and can be sued -- and can even in theory face regulatory oversight. Also, I suspect they routinely transcode video, which is somewhat likely to remove malicious format errors.

Curioussecurity11 I guess you could put it that way but I would argue that instagram is way worse and has more resources(closed source).

I don't see what would make them more likely to host video containing remote exploits. I particularly don't see how being closed-source would make that more likely.

Please note that I am not paid by Instagram, nor do I even have an account.

Curioussecurity11

Great answers guys!
Thank you for the write up,the file is since deleted,which I guess wouldn't do anything if it was malice...
Best regards guys!