I got the same warning email from Google Play, for a game built with Cocos2d-x v3.9.
It looks like dependency chain is libcurl -> libssl, and libcurl is being included in the Android build:
Correct me if I'm wrong please someone, but I thought curl had been replaced with native http stack on Android, so should this still be required?
(In my case though the OpenSSL dependency is also for libwebsocket compiled with ssl support)
If you're compiling external dependencies from source it should be fairly straightforward to upgrade. There is actually an existing PR for it here - https://github.com/cocos2d/cocos2d-x-3rd-party-libs-src/pull/80
Hopefully the ultimatum from Google will raise the priority of having this upgraded or removed from binary dependencies..