As you already know, the only way to truly verify a purchase token as being legitimate is to do so from the backend via the in-app billing API. And as far as I know there is no way to 100% accurately pre-verify a token. But if you are willing to accept some margin of error...
Token format
In my experience, as of February 2016, invalid purchase tokens come in three formats:
Correctly formatted tokens, on the other hand, are long tokens with two parts: 24 alpha characters, dot (.), and a second part that starts with AO-J1O..., eg. olcgkklnpigiceancikanedj.AO-J1O...
Rootedness
Users that attempt to make fraudulent purchases comprise a substantial percentage of all checkout attempts. Furthermore, they often attempt to checkout multiple times. Nearly all of these attempts come from rooted devices. I strongly believe that having a rooted device is everyone's right, and that there are legitimate reasons for having a rooted device. However, it also seems that having root is a requirement for attempting fraudulent purchases. I use this (imperfect) method to determine whether a device is rooted.
Conclusion
I do not suggest that you treat all rooted users as fraudulent hackers. But in my limited experience, rooted devices that generate malformed tokens are likely to receive an "invalid token" error. This is by no means a perfect method, since
- Rooted devices have also generated valid tokens for me
- Un-rooted devices have generated invalid tokens for me
- Most importantly, I believe that "malformed" tokens are merely emulating an obsolete token format. As Google changes the token format, so too will the authors of the hacking apps change their fake tokens to match that format. You will have to stay on top of these developments, and accept a certain margin of false positives and false negatives.
Please see my other answer for more details on this issue.
