Checksums are useless in this case. The binary would have to be signed and the installation routine would have to check that the new binary would have been signed with the certificate. That adds complexity, but would have thwarted this specific attempt.

However, there are ways around this, too. No solution is perfect.