Doesn't really matter if there is an API for it or not, if Google were to display it prior to you being authenticated (which they would have to for it to have any impact in this sort of attack), it would be fairly trivial for the attack code to (behind the scenes) present themselves as you to Google and then scrape the correct image from Google's response to their request. There are various things Google could do to make this more difficult, like some fancy rendering via canvas or webgl instead of just using a bog standard img tag, but to counter this the attack could just run a headless rendering browser and pixel scrape the resulting image.

Such a verification image makes the MITM attack a bit harder to code, but not really by much, and in the process might introduce an increased false sense of security.