A computer-implemented method for detecting malware variants may include (1) identifying an application package file including at least one class file, (2) identifying a set of metadata fields within the class file, (3) comparing the set of metadata fields within the class file with a set of metadata fields within a corresponding class file found in a known malware package to determine a similarity between the application package file and the known malware package, and (4) determining, based on the similarity between the application package file and the known malware package, that the application package file is a threat variant in a same threat family as the known malware package. Various other methods, systems, and computer-readable media are also disclosed.