This is why there are checksums on compiled sources and developer signatures on them. You can match the checksum listed for a compiled version of the code against the checksum of the copy you just downloaded, see that they are the same, and be pretty sure that this is, indeed the software you intended to install. The developer signatures also mean that you can tell that the file was compiled by the person who says that they compiled it and is as trustworthy as that person.
Of course, you don’t generally check the checksum or the developer signature yourself. Your package management software (for Android think “Google Play”) does that for you under most circumstances, at least it does after you have installed the basic operating system. That’s why the security conscious always check the signatures and checksums by hand when downloading a ROM, or software that they intend to sideload onto their device.
