Surely if malware has rw access to the home folder, it can adjust the env variables / shell to make this also fake.