The reason for the permissions is because the app acts under the System User ID, therefore can access any permission the system process has access to (ie all of them).
Here is the permissions part of the Android_Manifest file - note the android:sharedUserId field:
Code:
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:sharedUserId="android.uid.system" package="com.sec.activemode">
<permission android:name="com.sec.activemode.compass.permission.MAPS_RECEIVE" android:protectionLevel="signature"/>
<uses-permission android:name="com.sec.activemode.compass.permission.MAPS_RECEIVE"/>
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.VIBRATE"/>
<permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" android:permissionGroup="android.permission-group.SYSTEM_TOOLS" android:protectionLevel="dangerous"/>
<permission android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT" android:permissionGroup="android.permission-group.SYSTEM_TOOLS" android:protectionLevel="dangerous"/>
I will further reverse engineer this tomorrow to see if I can determine if it uses any dangerous permissions and if it really needs to operate under the system user. As a general rule of thumb I would never trust an app that operates under the system user unless I had full access to the source code - I run one of my own apps under the system user because the class it accesses isn't visible to a standard user id (acts as a shortcut to the KitKat Easter Egg on HTC phones because HTC always disable the easter eggs) but then again, I have the source code and I built it so I know its not dangerous, with this though I can't be sure