# [Q] Gfirewall and Gsearch bloatware/virus problem.. HELP!



## MatthewTaylor92 (Sep 8, 2014)

Hello guys, i have a problem as reported above with 2 bloatware apps on my android phone: Gfirewall and Gsearch. 
My phone model is UBTEL U8 (MTK model, china phone) and i'm running Android 4.2.2 ROOTED. I have no custom rom/firmware installed.

These 2 apps appeared magically about 2/3 months ago, and i thought they were safe beacuse of Google logo and name. Nothing happened in these months except for some phone crashes and restarts, but 2 days ago a banner ad appeared in my home screen at phone restart and/or phone unlock. I use AdAway (similar to AdBlock) to disable ALL TYPES of banner, ads and related on my phone, browser and apps. When i went to AdAway i noticed that was disabled: i enabled it again and restarted the phone.. but banner ads still showing.. so i went again in AdAway and it was disabled.. again! 
I have a similar problem with 3G/H connection with Vodafone. Everytime i disable internet connection, it gets activated again in 1 minute max.. so i can't disable internet.. never!

I removed these 2 bloatware apps today and fortunatly they didn't show up again or get reinstalled.. ads and AdAway blocks are disappeared. I started a lot of antivirus controls with Avira and nothing showed up.. so i thought i was fine, BUT the internet problem persists.. i can't disable internet everytime i want. Someone of you could help me to solve this problem? I hope there is an alternative method to solve this without format/reset the phone!


----------



## user064 (Sep 12, 2014)

I have the same problem with Gfirewall and Gsearch in my STAR N9800
Same full screen banner ad in my home screen.
In my phone there is Trend Micro Worry Free Business Security Services as antivirus, but nothing was found after a full scan.
If I find something new, I'll write here


----------



## MatthewTaylor92 (Sep 14, 2014)

user064 said:


> I have the same problem with Gfirewall and Gsearch in my STAR N9800
> Same full screen banner ad in my home screen.
> In my phone there is Trend Micro Worry Free Business Security Services as antivirus, but nothing was found after a full scan.
> If I find something new, I'll write here

Click to collapse



Hello! I solved with hard reset.. if you want to try i suggest you to use titanium backup for your safe apps, so you'll not lose anything


----------



## martinzx13 (Sep 15, 2014)

MatthewTaylor92 said:


> Hello! I solved with hard reset.. if you want to try i suggest you to use titanium backup for your safe apps, so you'll not lose anything

Click to collapse



I am facing the same issues, I do not think a hard reset will solve the problem, these two apps are embedded in the firmware, they lie dormant for a while then kick in, after a while, about 3months after purchase.

I have tried uninstalling & they just re-install, if you phone is rooted, you can hybernate them with ''App Quarantine''

I am struggling to deal with them, as my phone is not currently rooted. 

FYI: CM security now shows Gsearch as a virus.

Any solutions please??

Cheers Martin


----------



## pushkardua (Sep 15, 2014)

martinzx13 said:


> I am facing the same issues, I do not think a hard reset will solve the problem, these two apps are embedded in the firmware, they lie dormant for a while then kick in, after a while, about 3months after purchase.
> 
> I have tried uninstalling & they just re-install, if you phone is rooted, you can hybernate them with ''App Quarantine''
> 
> ...

Click to collapse



remove them after rooting your phone!!! seems soo unimaginable that they are embedded in your rom :/


----------



## martinzx13 (Sep 16, 2014)

pushkardua said:


> remove them after rooting your phone!!! seems soo unimaginable that they are embedded in your rom :/

Click to collapse



Yes you are very likely to be correct, I was kinda hoping, for a solution without rooting? Any ideas? Anyone?

Cheers Martin :angel::angel:


----------



## paxadete (Sep 17, 2014)

Same problem , rooted phone and uninstalled gsearch and gfirewall but in one or two days they auto-reinstall


----------



## pe1fam (Sep 21, 2014)

*Play Store*

There is a app in the rom called Play Store (Not Google Play Store!) and Opera Service
Remove those apps from the rom to prevent advertisements at screen unlocking.
To remove Play Store and Opera service your phone needs to be rooted (use Titanium backup fi). You can check this by using a firewall like droidwall.

If you can't root your device:
Use a firewall like mobiwol if your device is not rooted (is creates an internal vpn where it can filter your traffic).


----------



## rwbcca (Sep 21, 2014)

*Suspicious files found running at background*

I have the same problem with the two files reinstalling by itself after I delete them.  I have a Chinese made smartphone Tronsmart PS7 running Android 4.2.2 rooted.  After digging deeper into the files running at the background, I noticed there are files that have complete access to all the privilege rights in my phone other than android system, they are android.cube, AdupsFotaReboot, RebootAndWriteSys and Common Data Service.  I have tried to force these files to stop and it seems the problem is solved, Anyone has any ideas what these 4 files are for?


----------



## user064 (Sep 21, 2014)

I don't think to do any hard reset, if these are hard coded in ROM, this is not a stable solution
IMHO there are only two exit ways:

1) do a virus submission request 
I've done this request 1 minute ago.

2) flash the device with another ROM (4.2.2 is getting older, anyway...)

You can see the manifests of Gsearch and Gfirewall, are identical:

Not so good news...


----------



## jorfen (Sep 23, 2014)

Hi all, 

in my case, I found a solution. Once MTKDroidTools used to get root on the phone (root only, nothing else), I pressed the button "Delete China" and the application has removed the files from the "files_for_delete.txt" list. After this, the problems are over !!! 

Another way to do this with the phone already rooted, you do it manually, and you can follow the steps of: 

http://forum.xda-developers.com/showpost.php?p=44455669 

or 

http://electricheatingcosts.com/removing-chinese-smartphone-spyware/ 

Best regards.


----------



## Pete636 (Sep 24, 2014)

*No more Gsearch and Gfirewall*

I had the same problem with my Chinese new teca n9900 and I found the same apps on my phone that you mentioned. I force stopped android.cube, AdupsFotaReboot, Common Data Service, and RebootandWriteSys in app manager in the setting and now Gfirewall and Gsearch stopped automatically installing. I can't seem to enable them back to restart even after I reboot the phone except for "android.cube" that app will restart after I reboot the phone which may be the app causing them to reinstall. I'm not sure what exactly these apps do but my phone seems to work perfectly without them running. Thank you.


----------



## Tonyclift (Sep 27, 2014)

Pete636 said:


> I had the same problem with my Chinese new teca n9900 and I found the same apps on my phone that you mentioned. I force stopped android.cube, AdupsFotaReboot, Common Data Service, and RebootandWriteSys in app manager in the setting and now Gfirewall and Gsearch stopped automatically installing. I can't seem to enable them back to restart even after I reboot the phone except for "android.cube" that app will restart after I reboot the phone which may be the app causing them to reinstall. I'm not sure what exactly these apps do but my phone seems to work perfectly without them running. Thank you.

Click to collapse



It seems like now i don't have Gfirewall anymore but Gsearch got reinstalled and i've got an add displayed again so this solution doesn't really work


----------



## georgieboj (Sep 29, 2014)

*uninstall gsearch en gfirewall.*

I had the same troubles with my phone (elephone P8).  First I stopped the software, then I uninstalled it. So far so good.. Did'nt get popupsuntill now..
Succes..
Arthur
Netherlands


MatthewTaylor92 said:


> Hello guys, i have a problem as reported above with 2 bloatware apps on my android phone: Gfirewall and Gsearch.
> My phone model is UBTEL U8 (MTK model, china phone) and i'm running Android 4.2.2 ROOTED. I have no custom rom/firmware installed.
> 
> These 2 apps appeared magically about 2/3 months ago, and i thought they were safe beacuse of Google logo and name. Nothing happened in these months except for some phone crashes and restarts, but 2 days ago a banner ad appeared in my home screen at phone restart and/or phone unlock. I use AdAway (similar to AdBlock) to disable ALL TYPES of banner, ads and related on my phone, browser and apps. When i went to AdAway i noticed that was disabled: i enabled it again and restarted the phone.. but banner ads still showing.. so i went again in AdAway and it was disabled.. again!
> ...

Click to collapse


----------



## user064 (Oct 2, 2014)

UPDATE:
I'm triyng "Disconnect Mobile" to limit the amount of data probably stolen by these two applications, and after the last unistall of Gsearch and Gfirewall, they do not auto-reinstall! 



> Disconnect Mobile is a privacy app inspired by our award-winning browser software. The app actively blocks the biggest mobile trackers when you use an app or browse the web using 3G, 4G, LTE, or Wi-Fi. Optional packs include ad filtering and malware protection. Does NOT require root.
> Features:
> - Blocks the biggest mobile trackers from tracking and collecting your info
> - Blocks ads from more than 2500 ad tracking services
> - Blocks thousands of websites suspected of malware, spyware, phishing scams and more

Click to collapse



Like all ad-blocker apps, you can't find this on Play Store, you can find it on 1mobile, for example.
(I cannot post links)
Please let me know if this hint works on your phones


----------



## jorfen (Oct 2, 2014)

Hi all,  my rooted phone is Ulefone U9592 and I found this information :

http://androidforums.com/android-applications/864435-gfirewall.html

TEXT : " My phone is rooted, i set every apk need confirm install, and wait the apk download and confirm install, i used root explorer try to search which directory is. In my phone, i found "/data/user/0/com. cube. android" have the gfirewall apk, i delete that directory, also check whose apk create this directory. The apk is Cube_CJIA01.apk in /system/app, i delete this apk. It fixed.   (I think you find the name may not same Cube_CJIA01.apk)"

Well, I revised this information and the folder are :  "/data/user/0/com. cube.activity" or "/data/data/com. cube.activity" and in the folder "files"  I found  :
"_com.gsz.own.pack.apk"   and   "_com.zgs.gg.pack.apk"   (GSearch  and GFirewall),  I deleted this APK's and I think the problem is solved .....   NOT REALLY!!

If you check the folder "shared_prefs" you find various XML with the information shared at ALISOFT (Chinesse company) and specifically "ApkLoader.xml" with the URL where are downloaded GSearch and GFirewall. Only you need to delete in the XML the parts what you not are interested .... well, if you reboot the phone, the infected XML are restored. The best option is delete the file Cube_CJIA01.apk (do Backup) and reboot the phone. The mentioned folder disappears and the phone works well. Enjoy !!!

Best regards.


----------



## user064 (Oct 6, 2014)

Hi jorfen,
I want to follow your instructions, but I need to root my phone before.
Pelase can you give me some hint (or link) to find the right software?
I don't want to install another chinese spyware (like probably VROOT), to remove GFirewall and GSearch 

---------- Post added at 09:28 AM ---------- Previous post was at 08:54 AM ----------

may be I have already found the right answer to my question: Framaroot
Compatibility list:
http://www.tfq.me/rooting-almost-any-android-smartphone-without-computer/
App:
http://forum.xda-developers.com/apps/framaroot/root-framaroot-one-click-apk-to-root-t2130276


----------



## user064 (Oct 6, 2014)

jorfen said:


> If you check the folder "shared_prefs" you find various XML with the information shared at ALISOFT (Chinesse company) and specifically "ApkLoader.xml" with the URL where are downloaded GSearch and GFirewall. Only you need to delete in the XML the parts what you not are interested.

Click to collapse



I found two files "ApkLoader.xml" and "ApkLoad.xml" with similar info inside, and in both of them I modified the string starting with
*<string name="json">blah blah blah...</string>* to *<string name="json"></string>*



jorfen said:


> well, if you reboot the phone, the infected XML are restored. The best option is delete the file Cube_CJIA01.apk (do Backup) and reboot the phone. The mentioned folder disappears and the phone works well. Enjoy !!!

Click to collapse



in my phone I found some files with different names:

_com.gsz.own.pack.apk
_com.zgs.gg.pack.apk
core.apk
gad.apk
uac.apk
uac.dex

jorfen, Cube_CJIA01.apk was in "/data/user/0/com.cube.activity/files" (or similar) in your phone?
Thanks in advance,
Federico


----------



## jorfen (Oct 6, 2014)

Hi Federico,

I think you already have rooted the phone. Well, I used for this MTKDroidTools, found in this forum  (and modified for only install 'su" and "SuperUser.apk"). No problem, only is needed root for System access.

The app Cube_CJIA01.apk is in the folder "/System/app/" (the normal folder for System App's ). The folder "/data/user/0/" is a soft-link (use ln in linux) to the folder "/data/data/"). You locate in this folders the same information, and this is a default folder for working or write files, used in the APK's. Every reboot of phone regenerate information in this folder.

Best regards.


----------



## user064 (Oct 9, 2014)

Good news from my virus submission request at Trend Micro:


> The two samples are confirmed as malware.
> They will be detected as AndroidOS_FakeGSearch.A

Click to collapse



From now, all products coming from Trend Micro will handle this malware the right way


----------



## MatthewTaylor92 (Sep 8, 2014)

Hello guys, i have a problem as reported above with 2 bloatware apps on my android phone: Gfirewall and Gsearch. 
My phone model is UBTEL U8 (MTK model, china phone) and i'm running Android 4.2.2 ROOTED. I have no custom rom/firmware installed.

These 2 apps appeared magically about 2/3 months ago, and i thought they were safe beacuse of Google logo and name. Nothing happened in these months except for some phone crashes and restarts, but 2 days ago a banner ad appeared in my home screen at phone restart and/or phone unlock. I use AdAway (similar to AdBlock) to disable ALL TYPES of banner, ads and related on my phone, browser and apps. When i went to AdAway i noticed that was disabled: i enabled it again and restarted the phone.. but banner ads still showing.. so i went again in AdAway and it was disabled.. again! 
I have a similar problem with 3G/H connection with Vodafone. Everytime i disable internet connection, it gets activated again in 1 minute max.. so i can't disable internet.. never!

I removed these 2 bloatware apps today and fortunatly they didn't show up again or get reinstalled.. ads and AdAway blocks are disappeared. I started a lot of antivirus controls with Avira and nothing showed up.. so i thought i was fine, BUT the internet problem persists.. i can't disable internet everytime i want. Someone of you could help me to solve this problem? I hope there is an alternative method to solve this without format/reset the phone!


----------



## Pete636 (Oct 10, 2014)

*Gfirewall and Gsearch reinstalling solved*

I purchased two New Teca N9900 chinese phones for my wife and I. Then after a while I started getting full screen ads when swiping the lock screen. I found It was Gfirewall and Gsearch causing this. I would uninstall them and they would reinstalling them selves  between 10:00pm and 1:00am every night. But My wife was not having this problem, so I searched all my system apps and hers under settings/apps/all, and I noticed that I had an app called "Android.cube" so I forced stopped it and the ads stopped after unlocking the screen and Gfirewall and Gsearch do not reinstall them selves any more. But it will enable it selve back on after a few days or if you reboot your phone. I tried to uninstall but you need "ROOT" access so I had no choice but to ROOT my phone and uninstall Android.cube app from the phone and my problem has gone.


----------



## user064 (Oct 16, 2014)

another update from Trend Micro:


> The file com.cube.activity is confirmed as Malicious.
> We will detect it as AndroidOS_CubeBkd.A

Click to collapse



so it is a good idea delete from your mobile Cube_CJIA01.apk (in /System/app/ folder), together with /data/user/0/com.cube.activity folder (the name of this folder can be slightly different).

That's all folks :good:


----------



## mkatorz (Oct 16, 2014)

*Ultimate Solution Without Root!*

Hi Guys!

I have the same problem on Concorde Smartphone 5700. I tried to delete the bastard apps: GSearch, GFirewall and the fake Play. No point. 
So I changed my tactics: do not delete them but block them! WITHOUT ROOTING!
Download, install and start the NOROOT FIREWALL: by Grey Shirts  - 2013. november 13!
Remove the use of Internet rights from these apps . And that's it! They never bother you again!

---------- Post added at 06:11 PM ---------- Previous post was at 05:58 PM ----------

Hi Guys!

I have the same problem on Concorde Smartphone 5700. I tried to delete the bastard apps: GSearch, GFirewall and the fake Play. No point. 
So I changed my tactics: do not delete them but block them! WITHOUT ROOTING!
Download, install and start the NOROOT FIREWALL: by Grey Shirts - 2013. november 13!

Remove the use of Internet rights from these apps . And that's it! They never bother you again!


----------



## maki25 (Oct 22, 2014)

HELLO ALL AND THANKS FOR THIS INFO!!

I deleted Cube_CJIA01.apk  and OperaServices.apk files  from  "system/App folder". I searched any files that contains "Cube" Word in the system folder and deleted it,  too. I downloaded CM Security and now no detect any troyan. :good:


----------



## user064 (Oct 22, 2014)

Hi maki25,
a bit radical, may be, but if it works for you... ; )
Now you can also install the antivirus Trend Micro Mobile Security & Antivirus; the free version detects and clean all this malware correctly:
https://play.google.com/store/apps/details?id=com.trendmicro.tmmspersonal.emea
I'm not a TM affiliate BTW, but I still think this is a very good product.


----------



## CT's (Oct 23, 2014)

*HELP*

Guys i need help i did all of what you said and my phone is working fine but i found out when i connect it to my computer its not giving me the option to connect it as storage what am i suppose to do?!! HELP


----------



## TheKindleMCPEGuy (Oct 24, 2014)

user064 said:


> I have the same problem with Gfirewall and Gsearch in my STAR N9800
> Same full screen banner ad in my home screen.
> In my phone there is Trend Micro Worry Free Business Security Services as antivirus, but nothing was found after a full scan.
> If I find something new, I'll write here

Click to collapse



The Google Play is fake,so remove it. There's a tutorial on amazon bruh 



Spoiler



I provide support in Q&A and Kindle Fire HD sections. Xbox:computernerd888. I'm currently applying for Forum Ambassador on there. MCPE:TechGuy341523,R3kTtechMC or r3kt_iSuck3r.


----------



## Mobile amateur (Oct 28, 2014)

*Android Gsearch problem*

I've solved this now on my tronsmart ps7 so what I did was I downloaded Root Explorer it has to be full version but I donwloaded from 4shared then I did go data/user/0 and here I found this kind of file named com.cube.activity and I deleted it cause when I did researches about it I found out that this program can install other programs without any permission on your phone so after I deleted it and uninstalled Gsearch i didn't see this Gsearch anymore  I hope this helped even some1


----------



## Mobile amateur (Nov 4, 2014)

user064 said:


> I have the same problem with Gfirewall and Gsearch in my STAR N9800
> Same full screen banner ad in my home screen.
> In my phone there is Trend Micro Worry Free Business Security Services as antivirus, but nothing was found after a full scan.
> If I find something new, I'll write here

Click to collapse



i know how to fix it but I ain't tell u how


----------



## devsup (Nov 21, 2014)

Hello everybody!

I have the inew i6000+ with the same problems.
When i first saw this thread i used App Quarantine to block this Gsearch and Gfirewall **** as suggested by martinzx13.
That really helped a lot. After some time i saw a new Gsearch version coming to my phone . I blocked it again and was
ok until today.

Then after coming back to this thread, i finally wanted to make an end to this malware.
I used Root Uninstaller to uninstall android.cube, AdupsFotaReboot, RebootAndWriteSys and Common Data Service.
The system apps mentioned by rwbcca and Pete636.
Removing android.cube, AdupsFotaReboot was fine but after uninstalling Common Data Service some error messages
popped up and after a while the phone freezed.
(I was a little bit worried before removing these apps but i thought using force would be the best option.)

I rebooted but i went into a bootloop.
Even after clearing the Emmc in the recovery mode the phone is still not booting.

Can someone please tell me what i could do now?
I would be very grateful if someone can give me a good solution.

Right now the phone is absolutely unuseable.


----------



## heyo99 (Dec 8, 2014)

*How to get rid of gsearch virus...*



matthewtaylor92 said:


> hello guys, i have a problem as reported above with 2 bloatware apps on my android phone: Gfirewall and gsearch.
> My phone model is ubtel u8 (mtk model, china phone) and i'm running android 4.2.2 rooted. I have no custom rom/firmware installed.
> 
> These 2 apps appeared magically about 2/3 months ago, and i thought they were safe beacuse of google logo and name. Nothing happened in these months except for some phone crashes and restarts, but 2 days ago a banner ad appeared in my home screen at phone restart and/or phone unlock. I use adaway (similar to adblock) to disable all types of banner, ads and related on my phone, browser and apps. When i went to adaway i noticed that was disabled: I enabled it again and restarted the phone.. But banner ads still showing.. So i went again in adaway and it was disabled.. Again!
> ...

Click to collapse



i think i got rid of it finelly....
1- settings
2- apps
3- running apps
4- google services
5- scrol down, click launch
6- account history
7- clear all history..
Thats it...
Good luck guys.. It worked for me...hope works for you too.


----------



## MatthewTaylor92 (Dec 12, 2014)

user064 said:


> I don't think to do any hard reset, if these are hard coded in ROM, this is not a stable solution
> IMHO there are only two exit ways:
> 
> 1) do a virus submission request
> ...

Click to collapse



These 2 apps didn't reappear for me, probably I solved with reset of the phone.. anyway, I don't think they are embedded in the ROM.
I don't exactly remember my steps before removal, but you can try:
-try remove sd-card(probably i did)
-remove apps with antivirus (i have CM security) and clean memory and cache (i have CleanMaster for this)
-reboot phone
-check if apps reappeared, in my case they dind't show up again, but i still had problems with ads and internet
-so if they DO NOT reappear after boot, do a backup for apps and data and hard reset your phone. (SOLVED FOR ME)
-if they reappear... try anyway to reset.. but i don't know if this can solve the problem!


----------

