After helping a family friend’s Android phone, MISRYOUM found Google Play Protect failed to flag an app posing as “Messages” that replaced the launcher and flooded the device with ads—both before it was installed and after the malware scan.
When an older relative handed over her Android phone, the problem looked simple at first—just ads that wouldn’t stop. But the real disruption wasn’t coming from a pop-up, or a single “bad” app behaving oddly. Her entire interface had been changed: app drawer, widgets, even the Google Discover feed.
The app responsible was labeled “Messages” in her system.. It wasn’t acting like a typical messaging app either.. It replaced the launcher. showed ads across multiple screens. and kept pushing prompts tied to messaging defaults—yet Google Play Protect didn’t flag anything when it was scanned after installation.
Google’s Play Protect is designed to defend Play Store users from malicious applications, including adware.. In this case, that promise didn’t hold up.. The app made it onto the Play Store with minimal friction and then slipped past the service that’s supposed to catch exactly this kind of unwanted behavior.
The story began with familiar paths for scams on Android: misleading ads and convincing “critical updates.” A colleague had described how his father tapped an ad for a so-called critical update and ended up installing different PDF apps that delivered more ads.. The pattern is the same: the user clicks. the app appears to promise an essential function. and revenue follows through additional advertising.
On the grandmother’s device, the symptoms were personal and persistent. She kept getting messages that she needed a new PDF reader or that her phone lacked enough space. She didn’t know what changed—she only noticed that one day the UI was completely different.
Her son scanned the phone first using Samsung’s Device Care, which identified one app with excessive ads. Even after uninstalling it and getting a clean scan, the interface didn’t revert.
That’s when the scope of the issue became clear.. It wasn’t just an app throwing pop-ups.. The phone had an entirely different launcher—replacing the app drawer, widgets, and the Google Discover feed.. Searching inside the app drawer also brought up additional ads.. Even a widget that looked like Google Search displayed ads.
The prompts were equally telling. The device continually asked her to change the default messaging app after a swipe to the left-most screen. Meanwhile, searching for the app didn’t turn it up in the app drawer, and long-pressing the icon on the home screen didn’t show the expected uninstall option.
When the phone was brought in for deeper inspection, Play Protect was the next step.. The scan was supposed to catch malware and also adware. with a warning that typically reads: “This app may display ads with unexpected behaviors (for example. outside the app environment. cannot be easily dismissed. or interfering with device functionality).” But the service did not report any issues—despite the app continuing to operate on the device.
Play Protect, in the end, failed in two distinct ways: it didn’t identify the app as adware before it was installed, and it didn’t detect the app as problematic after it landed on the grandmother’s phone.
The key product involved was an app with a simple name—“Messages”—but its real purpose was harder to miss once it was running.. It replaced the launcher and displayed ads, and its permissions stood out.. The permissions were different from other messaging apps because it requested access tied to widgets.
After uninstalling the culprit, the UI reset back to Samsung’s default One UI, and the grandmother regained control of her device.
There were also details that made the deception look deliberate.. The app she had installed had no reviews and around 10k downloads.. A quick check of the Play Store also showed messaging apps promising dubious functionality—claims like saving battery power. or offering a way to receive SMSes without internet. even though SMSes don’t require an internet connection.
Eventually, the same “Messages” app turned up again as the device offender.. After uninstalling it, the interface returned to normal.. The app has since updated its app title to include that it’s also a launcher. while keeping its description vague enough to trick non-tech-savvy users into thinking they’re installing a messaging utility.
Even with the uninstall done. the broader tension stayed in view: the sideloading process has friction and warnings about installing unknown apps. yet it can be comparatively seamless to grant excessive permissions when an app comes from the Play Store.. Play Protect is meant to identify apps with excessive permissions. but in this case that protection seemed easy to get past.
The repair itself came down to finding where Android hides launcher settings. Searching for “home” or “launcher” doesn’t bring it up directly. Instead, the setting lives under Settings > Apps > Default apps > Home app (exact steps depending on the Android skin).
Since it hadn’t been changed in around a year, the basic workflow was forgotten.. The fix used the Google Play Store account tools instead.. First, the Google Play Store account icon at the top right was opened, then Manage apps and device > Manage.. The filter was set to This device, to view all apps installed on the phone.. From there. the app nearly got missed because its title was generic—“Messages”—and it used an icon and chat blurb that looked similar to the discontinued Samsung Messages app.. The confusion only broke when the device’s owner pointed out it wasn’t Samsung Messages. and the app details revealed it was developed by another company.
The app was removed from the device through Manage apps, and once it was gone, the phone’s interface returned to its original launcher.
A final detail sharpened the concern.. The same company also makes a QR code scanner that is described as a launcher. adding weight to the idea that launcher functionality is used as a vehicle for delivering more ads.. On modern Android. launcher replacement isn’t necessary for messaging features or QR scanning—Android can already support those behaviors without adding a new launcher layer.
The pattern in this case is consistent: ads lure users into installing apps, permissions make the disruption possible, and the app continues running even after a Google Play Protect scan—until the launcher swap is removed through Android’s settings.
The broader frustration is straightforward.. Plenty of Android users aren’t constantly on guard. and even people who are technically comfortable can miss where key settings live.. The experience described here wasn’t just about one device.. It was about how easily a non-expert can be steered into granting permissions. and how long it can take to realize the problem is the app changing the phone’s foundation.
There’s also a lingering irony.. The fix required the kind of troubleshooting most users won’t do—identifying what app is actually acting as the launcher. then removing it.. And the writer notes they wouldn’t expect Play Store and Play Protect to spot every exploit. but apps with excessive permissions posed as normal functionality—and then deliver ads or other malware—remain a recurring issue.
And for anyone reading, the takeaway lands where it hurts: it shouldn’t take a tech journalist to notice that “Messages” is not behaving like a messaging app, or that a phone can be fundamentally rewritten without triggering the protections it’s supposed to have.
MISRYOUM Android Google Play Protect adware malicious apps Play Store launcher unwanted software cybersecurity mobile scams