If you are using Electrum as your interface while sending from a hardware wallet and the device isn't displaying the change address, you can cancel the transaction and check if the change address is part of your wallet in Electrum.
If the firmware gets compromised, it will display any falsified information that it wants, I'm assuming that the firmware actually handles both the transaction display and signing logic.
When you get to the stage where Electrum displays all the inputs and outputs before it pushes the info for you to confirm on the screen of your hardware wallet, copy the change address, cancel the transaction, and go and check if the change address is part of your wallet. If it is, recreate the transaction and make sure the same change address is used. Wouldn't that work?
That is assuming, as the scenario says, that the malware doesn't have control to your computer. If you run the risk of both the hardware wallet and computer being compromised, there is nothing that you can do. That is why either the hardware wallet or the computer must maintain its integrity. The firmware will mostly remain uncompromised, it is signed by the manufacturer and I assume that they have necessary procedures to avoid any possible attacks.
