Sybil attack implementation is almost trivial.
Implementation of the sybil attack is trivial if the CAPTCHA_API key is not bound to a given app package name. I don't know how it works for CAPTCHA api key and only have experience with google maps api keys, but for the later, you can bind the API key to some package name. Maybe it's not possible here because it's embedded in a webview if I understand correctly.
As a consequence, rebuilding the app with different package names and setting trivial time filters for "listening" allows to retrieve the time that you where contaminated if it happens you are.
Here screenshots of 3 instances of the app running in parallel on the same phone and perfectly registered to the official server (and broadcating their own EBID's)