It doesn't protect against a malware being included by default, it protects against a malware being inserted on the wire, ie between Canonical's HDD and your HDD; if a malware is inserted at this point then the checksum should fail.
Coincidentally it requires the checksum to be propagated through an other, more secure mean, so distributing the checksum on the very same site increases the chance for an attacker to act, however there is no other way as widespread as this to give the checksum anyway.
Coincidentally it requires the checksum to be propagated through an other, more secure mean, so distributing the checksum on the very same site increases the chance for an attacker to act, however there is no other way as widespread as this to give the checksum anyway.