In my experience, people don't really care about rooted devices and non-stock Android -- if those devices are actually phones in the hands of human users.

The big fraud vector is running emulators in datacenters or skipping running the app entirely and talking directly to endpoints. Requiring that an entity making a request is from a real phone and is from (approximately) your app adds friction and is effective at reducing fraud.