There seemed to be a need/urge to "mock" up a lab (once upon a 10 years ago) and use the same exact software as a target. Once upon a time, systems weren't so complicated and most administrators/engineers/architects really didn't take the time to configure deployments properly. The likelihood of finding "repeat" security holes was high. Meaning, if one company running say IIS 4.0 had a borky config, odds were, MANY were affected by the same configs (Google: "herding instinct") Nowadays, security has improved somewhat so the notion that by you “re-creating” a target will yield the same results as that target are flawed.
So this is from the software/application side. Now I will answer based on my interpretation side. You state:
Software on MobileA --> Share Pictures --> Software on MobileB
Let’s dissect the threat. Is the software in the rendering of an image? Meaning, the delivery method... Is this what triggers an event? For example, if I send a corrupt image to “Software on MobileB” is it the image manipulating something? Can I send it from a non-mobile device? Is it a configuration issue, e.g.: “If MobileA has X on by default...” There is a lot to think about prior to giving a direct answer. If it is a configuration issue, kiss the mimicking goodbye.