Lets say... a malware binary is downloaded with a dynamic load balancing across 2 tcp streams. Everything looks fine to your NG firewall, no malware detected.
Mind you the same applies if someone downloads a malware binary across an encrypted protocol
The countermeasure is to enable deep protocol inspection (and HTTPS inspection!)
To inspect https traffic you have to force proxy it. Force proxying should be an effective measure to prevent multipath TCP as well.