For those who weren't or haven't, it was a geofenced, anonymous message board app targeted to college students that became fairly popular over the first two years of its existence before gradually fading into obscurity and finally being shut down in 2017 (but as of 2021 was rebooted with pseudonymous accounts, IIRC). Users could see any messages within a certain radius (0.5 miles or so, I think) and messages could be upvoted and downvoted, and were sorted by their vote score. Messages with a score of -5 disappeared forever, and I think also eventually aged out.
Being a chaotic sophomore with some Android experience, I decided it would be fun to decompile the app and see how it worked. I discovered that each device was assigned an ID based on a timestamp, IMEI, and a few other pieces of information that could be easily spoofed, by calling a fixed HTTP endpoint to generate as many new IDs as I liked.
I generated ~500 or so IDs using some Java code, hardcoded them into a .class file, and added some hooks to intercept existing calls to set up the Android UI and add my own event listeners. From there I added a button to the app's menu bar with a radiation hazard icon that would use the generated IDs to nuke every message in range of the user, downvoting them all to -5 and causing them all to disappear instantly. I also added the ability to long-press the upvote and downvote buttons, which would bring up a dialog with a slider allowing the user to upvote or downvote any post up to 500 times, sending it to the top of the list (or downvoting it to oblivion). Finally, I rebuilt the app with my added .class file patch.
Needless to say, this was a source of great fun and mischief for my friends and I. The most entertaining event was attending a hackathon at our (much larger) rival university's campus, where we nuked every local post a few times a day for 72 hours and voted our own posts up 500 times.
It was fun to mess with for a few months or so. We never distributed the patched app, for obvious reasons, and we never used it for anything truly malicious beyond being a mild local nuisance denial-of-service.
