What are the chances of a malware being persistent if I dd to write system.img and userdata.img from twrp

If I had a malware on my phone, say malware like xhelper, or strandhogg or something even critical than that, what are the chances of it being persistent even after using dd to write the **system.img** and **userdata.img** to the phone for eg dd if=system.img of=/dev/block/platform/mtk-msdc.0/by-name/system to write system as brand new. Is it possible that the malware could snoop into /cache or /nvdata to attain persistence. Is it feasible to use dd to flash those partitions as well? Which places would a malware use to hide itself to maintain persistence even after stock image flashing?