Is it easy to create persistent programs that run before Android's boot? (in firmware maybe)

If the bootloader is locked, all android partitions are verified by android verified boot (AVB) and android bootloader (ABL) is verified by secure boot which is enforced by chipmaker in production SoCs. Devices with Qualcomm Snapdragon SoCs, Qualcomm's Primary Bootloader (PBL) of SoC verifies Xtended Bootloader (XBL), XBL verifies ABL and ABL enforces AVB.

To break this chain of trust, the attacker can exploit a vulnerability somewhere in the chain to bypass signature verification. One can also tamper with PBL on board. While modifying it may be considered feasible in theory, it is not scalable. PBL is burned on CPU die and its public key is stored in eFUSE which make it tamper resistant. Android has infamous fragmentation problem, most android devices never receive timely updates and new vulnerabilities remain unpatched. Some of the critical vulnerabilities in chipmakers' bootloader and android bootloader were found in the past which could be used for persistent malware and bypass of secure boot and AVB.

If your device's bootloader is locked and has been factory reset then it is running stock image otherwise the device would brick on first boot. The device can also run with custom root of trust where AVB key is user generated. This allows user to make its own modifications and re-sign images to enforce custom AVB. You can see the verified boot state of the device in bootloader mode.

Verified | SelfSigned | Unverified | Failed