Open-source spyware bypasses Google Play defenses — twice