This would be an interesting method of baiting a honeypot: “accidentally” leave a verification code un-redacted and enough information to find the app in the screenshot. Put a timer on it to set the hook on the impulsive. User thinks they’re being sneaky, installs the app, enters the code but now they’ve turned their phone a DDoS bot or something.

Don’t even have to care if it’s a legitimate and non-expired code since the honeypot operator won a whole step ago when the user mashed the “give full control of my device and my lunch money to this app” button.