From the report (linked as a PDF here):
The following research on mobile malware trends during 2013 was conducted by Cisco TRAC/SIO and by Sourcefire, now part of Cisco.
Mobile malware that targets specific devices made up just 1.2 percent of all web malware encounters in 2013. Although not a significant percentage, it is still worth noting because mobile malware is clearly an emerging—and logical—area of exploration for malware developers. According to Cisco TRAC/SIO researchers, when mobile malware is intended to compromise a device, 99 percent of all encounters target Android devices. Trojans targeting Java Micro Edition (J2ME)-capable devices held the second spot in 2013, with 0.84 percent of all mobile malware encounters. Not all mobile malware is designed to target specific devices, however. Many encounters involve phishing, likejacking, or other social engineering ruses, or forcible redirects to websites other than expected.
Back in the early 2000s, there were similar scares on the growing 'Series 60' platform (part of Symbian), with a small percentage of people unwittingly passing on hacked applications and booby trapped text messages. The warnings put up by the OS stopped such outbreaks from getting very far, despite apparent stupidity from most infected users, but Symbian put an end to the phenomenon once and for all by introducing 'platform security' in a big OS update around 2005. From then on, all installable applications had to be digitally signed (and thus tested) before they could be installed by end users.
This scene predated the 'app store' era, but the same thought was there, i.e. that everything needed to be tested/curated to some degree. The Android world right now is in a similar state to the Symbian/Series 60 world in the early 2000s, in that it's trivially easy (one check box) to open up your device to untested applications that can be side loaded from who-knows-where. As a result (and, predictably, apparently centred around Russia), there's something of a burgeoning scene in pirated/hacked applications in the Android ecosystem, at least some of which is compromised, i.e. malware.
Why am I mentioning all this on AAWP? Just to point out that you can ignore all scare stories and mentions of 'mobile malware' in the media, since it's very hard indeed (you have to jump through developer hoops and involving payment) to sideload untrusted applications onto Windows Phone. 99.999% of Windows Phone applications installed in 2014 will be via the Microsoft-run Store and will have been tested and signed properly.
Even web-based exploits are unlikely to get very far, since there's no Java or Flash support in the Internet Explorer browser. Windows Phone is, to all intents and purposes, a 'no go' operating system for malware.