
cue iThing fanboys cheering...
University of California Santa Barbara researchers have turned up bootloader vulnerabilities across a bunch of Android chipsets from six vendors. The team of nine researchers decided to look at a little-studied aspect Android architecture – the interaction between OS and chip at power-up. To get inside that operation, they …
In the case of malware, yes, but if you're trying to install a newer version of Android, no. You usually can't replace the kernel without unlocking the bootloader so while you may be able to get root and even load a custom ROM, you'll be effectively stuck on the same version of Android.
If I read this correctly, the attacker needs physical access to the target device to exploit any of these vulnerabilities. If that is true then this is only a problem for a person that gets a pre-infected phone (eg a NSA target) or a person that lets a malicious person (say in a phone repair shop) have control of his/her phone.