N9000W malware finally found: com.skymobi.lockframe.iphone , /system/app/mopolocker.3xnote3_v3.032_20131127_suntel.apk

After some time, I noticed again new unwanted installations

http://sesionesfrikis.blogspot.com.es/2015/01/kinguser-replacement-by-superuser-by.html

I include here some screenshots
There is an "i" inside a circle notification 

And this informs a new app was installed "BubbleShoot"... not by me
Another app was installed at the same time "GoLink"

 A long press in "BubbleShoot" notification finally shows the app involved ... where is malware

App name is "SamsungNote3Locker", package "com.skymobi.lockframe.iphone"
with /system/app/mopolocker.3xnote3_v3.032_20131127_suntel.apk

I removed this package with Titanium backup, and I finally hope malware is removed.
I also checked no more com.skymobi.* packages are present with "pm list packages"

I found this package appears in some websites:
- AVG antivirus http://www.avgthreatlabs.com/android-app-reports/app/com.skymobi.lockframe.iphone/ 
Where it says "Active malware!
During the last 7 days potentially active malware was detected for this android app. (updated Feb 03, 2015 GMT) "

- In this forum, also with M-HORSE N9000W
"Aplicación maliciosa que instala aplicaciones sin hacer nada"
http://www.movilesdualsim.com/tema/aplicacion-maliciosa-que-instala-aplicaciones-sin-hacer-nada.85963/

- In this forum, where it appears "baidu browser" and "share it", some apps I also saw installed ...
http://forums.androidcentral.com/samsung-galaxy-s2/453282-mobile-internet-has-coo123-popup-anyone-know-how-fix.html

Edit: testing Sophos security, it find ExpandPointWall.apk "Potentially unwanted app. Category: Adware" in /storage/sdcard0/.1/ExpandPointWall.apk

Looking for *skymobi* files, I found:

/storage/sdcard0/Android/data/com.skymobi.pay.newsdk/
/storage/sdcard0/skymarket/com.skymobi.mopoplay.appstore/