Malware detection systems can be configured to detect the presence of malware on compute devices. Some known malware detection systems can use known assets of identified malware samples to determine whether a computer application was likely made by the same entity that created the malware samples, and therefore whether the computer application likely is malware itself. For example, some known malware detection systems compare code of malware samples and computer applications to determine whether the application is malware. Small differences in code can, however, cause such a system to incorrectly determine that the application is not malware. Additionally, it can be difficult to access all portions of the code in a computer application to determine whether the application may be malware. Specifically, some computer applications may, for a variety of reasons, protect the code of the application to prevent others from accessing and reviewing the code. Further, analyzing code alone may not allow a system to identify tactics malware writers use to reach users, and therefore may not allow administrators to draw inferences from the tactics of known malware samples to determine the likelihood that the computer application is also malware. Further, merely analyzing the code may cause difficulties in visualizing the results of analyzing the computer application, such that a malware analyst can later use the results to perform other actions, such as determining where to focus future malware analysis.
Accordingly, a need exists for methods and apparatus that use mechanisms other than code analysis to reduce false negative malware determinations, that analyze potential malware samples when code is not available, and that provide streamlined visualizations of the analysis data to allow analysts to fine-tune malware analysis procedures.