will that 'spoofed' binary be able to do anything useful, like introduce trojans?
All bets are off now. Before it was considered practically impossible to
calculate a collision in MD5-hash-space. Now it is shown that this is not the case and that you can do so in (practically spreaking) finite time.
Nobody knows if the colliding datastreams will have any useful content, but nobody can tell you the opposite either and in matters of security, you assume the worst (but hope for the best).
CountZero
"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law